Why you shouldn’t listen to Pat Burns on LinkedIn

An article entitled “Why The Internet of Things and the Cloud Should Break Up” showed up on Reddit and Twitter earlier this week. It sounded promising – I’m a proponent of decoupling IoT systems so that they don’t rely on the cloud, even if they still use the cloud most of the time. What I was greeted with was a terrible opinion piece, full of misinformation.

I don’t know where to start, it’s so bad.

A FitBit wristband connects via Bluetooth with your smartphone but sends your activity data to a FitBit cloud app. Does your personal health data really need to sit in the cloud or can you extract sufficient value from it by simply keeping the data stored locally on your smartphone?

This isn’t the IoT. That’s a Bluetooth device connecting to a phone. He seems to be one of these people who will call anything connected and not a full blown machine “IoT”.

For most of the IT industry — let’s just get this on the table — the cloud today is the hammer and there’s almost nothing that isn’t a nail. And the cloud is an easy place to build an IoT application and operates without the messy hassles of embedded software, endpoint security, FCC regulations, or fertility risks, to name a few.

Firstly, using the cloud generally means adding functionality to endpoints. Take a standard IP camera, accepting connections on port 80, using port-forwarding for remote access. Add cloud functionality to allow remote streaming and the system takes more time to develop. It is not a freebie.

Secondly, using the cloud normally makes endpoint security much less of an issue. Traditional architectures, such as port-forwarding to devices, or customers running their own infrastructure, involve inbound connections to your network and endpoints. Many cloud connected devices have absolutely no ports open at all – SmartThings v2 hub for example. Because of this, endpoint security becomes a lot less difficult.

Thirdly, regardless of your architecture, if you want to use wireless connectivity, you need to deal with RF. I don’t see how the cloud avoids this.

It’s cheap and everywhere. Like beer in your dorm, the cloud today is so popular and so well-capitalized that infecting the IoT was only a matter of when, not if. Spin-offs like cloud analytics or cloud perimeter security (no laughing!) are simply too affordable and too visible to pass up. Traditional enterprise IoT pilots that used to cost $250,000 in enterprise software and systems integration services can be executed at a fraction of this price now due to the cloud.

Developing cloud systems and operating robust, secure cloud systems is a cost and complexity. People are not doing it to avoid cost.

Tools. Compared to older desktop-based tools, cloud-based environments and API’s are vastly simpler to use and integrate while offering robust functionality.

He seems to be conflating using a cloud-based development environment with operating in the cloud. Nearly all cloud based solutions need significant development in traditional languages, on a desktop. It’s not point and click.

Weak endpoints and edges. Endpoints that don’t do analytics, support real-time queries, or even support full two-way messaging tend to spew data remorselessly to an edge router and/or the cloud. Bluetooth, ZigBee, 6lowPAN, and others are all guilty as charged and as a result, they end up driving their users to the cloud.

He seems to have a bee in his bonnet about how “stealthy” wireless protocols are. There really is no link between the wireless protocol used and how much data ends up getting sent to the cloud. They are different layers – one a transport protocol, the other application. Zigbee does send a fair amount of beacon traffic, but none of this ends up outside the PAN. If your app sends a lot of traffic over Zigbee and then your gateway sends it to the cloud, that is not the fault of Zigbee.

It’s not secure. This one is hard to overstate as crummy IoT security is the sordid “yeah, but” in so many discussions about the IoT. IDC predictsthat nearly every IT network will have an IoT security breach by the end of 2016 and IT departments are in full freakout mode now. Endpoint security is comically bad and compounded with a hacker-friendly cloud, what could go wrong?

There is absolutely nothing inherent in the cloud architecture that makes it insecure. In fact, there can be a lot of advantages:

  • Endpoints no longer need to accept any incoming connections
  • Endpoints and gateways accept no user-input, massively simplifying design of secure interfaces
  • Connecting to a central point facilitates use of IDS, a skilled operations team, and regular centralised updates

Equally, there is nothing inherent in a cloud architecture that means the endpoints are insecure. An insecure endpoint will be insecure regardless of the architecture.

It’s not real-time. IoT apps that require real-time responses can’t tolerate the extra seconds or minutes required for a cloud lookup.

and later:

Waiting 2–3minutes for a cloud app to make time for you is a non-starter.

This is just pure misinformation. Going over the Internet adds latency. It doesn’t add “2-3 minutes”, it adds milliseconds typically. 2-3 minutes means the system has been designed badly, and this would be an issue regardless of where it operates.

It may not be faithful. The integrity of your data in the cloud is only as good as the people and systems hosting it. Sensors in your manufacturing facility in Taipei showing you running at 50% below your normal run rate or showing a supply chain hiccup? Hedge funds and competitors enjoy learning about this kind thing!

The integrity of your data on your self-hosted platform is only as good as the people and systems hosting it. Again, nothing inherent about cloud. I would rather have a skilled operations team managing intrusion detection, performance monitoring and disaster recovery than burden a sysadmin with yet another system in-house.

Getting out may be easier than getting in. Once you’ve married a cloud service, how easy will it be to disengage/migrate to another solution at some future date? Is standardization and interoperability in a state that will increase the risk of vendor lock-in? What if the cloud vendor is bought by your competitor and changes policies?

Which is equally true of any bought-in platform. Just remove the word “cloud” from the above paragraph. Vendor lock-in is real however.

A new golden rule of IoT network design is to store sensor data as close as possible to its point of origin and limit its sharing across the network unless absolutely necessary.

You can’t just invent golden rules. Many people want low-cost, low-power endpoints with no storage and no persistence, pushing everything to more powerful gateways or servers. The AWS and Azure IoT platforms both accommodate for this. This is Pat Burn’s golden rule, to sell his product.

The endpoint is key to the golden rule. Better processors, cheaper memory, and better networking stacks from companies like Haystack are evolving endpoints from dumb terminals to independent, distributed computing devices with real-time query (think Google for the IoT) and NoSQL-like filesystem support. Endpoint-centric designs also have the bonus of being more stealthy and secure, faster, cheaper, and better stewards of battery life and wireless bandwidth. In short, good IoT network design should begin with the endpoint in mind and “dumb” endpoint technologies that beacon or create unnecessary security risks should be phased out

I just don’t know where to begin on this.

The enemy of security is complexity. Are you actually trying to argue that having hundreds of endpoints in a distributed network, able to store data and be queried, are going to be more secure than, say, a memory-based RFID tag? Or a transmit-only 8-bit PIC based humidity sensor?

How are these endpoints cheaper?

What is his issue with beacons and stealth? Well – it’s lucky there is another article – “A Simple Proposal To Improve Security for the Internet of Things” to help us demolish yet another series of misconceptions and misinformation.

Almost every IoT security breach in recent news can be traced to the poor architecture of the wireless protocol used by the device.

No, no they can’t.

Firstly, that is very, very specific. “Poor architecture of the wireless protocol”. Not “Weak implementation of the wireless protocol” or “devices using wireless protocols”.

Secondly, neither of the links provided are breaches. A breach is the result of a system being exploited. One is information leakage, the other is a report of a vulnerability.

Thirdly, the Jeep hack was nothing to do with the wireless protocol. Jeeps could be using wired Ethernet and the same issues would have been present.

Fourthly, nearly every IoT breach in recent news has been carried out over the Internet. Not local attacks to the wireless protocol. There is a lot of research into wireless security, and there are a lot of noise at conferences, but the bulk of issues occur over the Internet remotely. Hackers are not sat outside homes and business cracking your Zigbee or wireless burglar alarm.

Avoiding or minimizing the chances of unauthorized discovery is not technically difficult. But today’s IoT technologies like Bluetooth, 6lowpan, Sigfox, LoRaWAN, and others make unauthorized discovery very easy and it creates the worst kind of angst in IT departments.

Most of the protocols make discovery easy because it is intentional. They layer security with discoverability, enabling systems which people can actually use and are actually deployed (unlike Dash7).

The link doesn’t support that unauthorised discovery is causing angst in IT departments. He seems to often do this – provide a link which is vaguely related but doesn’t support the argument. It would be fair to say “IoT is causing angst in IT departments”.

Most wireless IoT technologies were originally conceived as ways to stream large files (Bluetooth, WiFi) while some were designed to be “lighter” versions of WiFi (e.g., ZigBee). Today they are being re-positioned as “IoT” technologies and security, to put it nicely, is an afterthought. Oh yes — some have tried to “layer on” security and may profess to support encryption

Layering encryption onto a transport protocol is completely valid. It’s widely acknowledge that ZigBee, Z-Wave and WiFi, if implemented correctly, are secure from the risk profile that is involved. Skilled hackers are not sat outside your house, waiting for you to pair you Hue bulbs to the hub and grab the keys. It is not happening. Even if they did, all they can do is turn your lights on and off.

I have no idea why they “profess” to support encryption. They all offer encryption. WPA2 is actually a very secure protocol.

hacks for all of these technologies are quite public yet fundamentally traceable to one original sin:

these wireless IoT technologies don’t know how to keep quiet.

What? What hacks of wireless protocols can be traced to not keeping quiet?

More recently, drones are being used to hunt for ZigBee-based endpoints, giving bad actors an easy way to discover, map, and hack ZigBee endpoints:

No, drones are being used to map Zigbee broadcast traffic. This is not enabling anyone to hack Zigbee anymore than putting your house number on the door of your house enables someone to pick your locks.

this type of hack provides all sorts of information about each endpoint, including manufacturer ID.

This is not a hack.

This need to be “discoverable” — and this is not limited to ZigBee, Bluetooth or WiFi but to most wireless IoT technologies — requires a near-constant advertising of a device’s presence, leading to any number of “disaster scenarios” that others have extensively written about.

The link, again, doesn’t support that a wireless protocol being discoverable will lead to any disaster scenario. Just pile the links on and hope no one checks.

There is no technical reason that the Internet of Things cannot embrace silence, or stealth as I prefer to call it, as a first principle of endpoint security. Stealth is not a silver bullet for IoT security (there is no silver bullet) and stealth alone won’t protect a network from intrusions, but dollar-for-dollar, stealth is the simplest, cheapest, and most effective form of IoT security protection available.

There is, quite literally, nothing to support this position.

A endpoint, receiving and sending plaintext, unauthenticated commands and data, will not see a noticeable improvement in security. Passive monitoring of the channel will still leak data, and active tampering will cause havoc. The stealth must be broken for the device to send, and this can be seen.

An endpoint, receiving and sending encrypted, authenticated commands and data, will not see a noticeable improvement in security. The data is still encrypted. Unauthenticated commands won’t be carried out.

This is just garbage.

Dollar for dollar, it might be worth making your nodes quieter, but not at the cost of switching from a widely adopted, widely inspected wireless standard to Dash7.

He tries to explain why:

Cloaking. It is harder to discover, hack, spoof, and/or “stalk” an endpoint if a hacker cannot locate the endpoint.

Endpoints need to send. Being stealthy can reduce the traffic but there will still be traffic. Stealth is only a weak layer of security through obscurity.

Googling the IoT. Stealth enables real-time queries of endpoints, a la Google search that non-stealthy endpoints can’t support. Stealth also enables fast queries (<2 seconds) in environments with thousands of endpoints, in turn enabling big data analytics at the true edge of the network.

This has absolutely nothing to do with how stealthy communications are from the node. If you enable your node to be queried, it can be queried. In fact, querying and accessing data from the edge of a network almost negates attempts at being stealthy as you will see an increase in complex and important traffic of the wireless network.

Minimize interference. Less data being transmitted minimizes the opportunities for interference and failed message transmissions. Contrast this with the tragedy of the commons at 2.45 GHz, where WiFi, ZigBee, microwave ovens, and other countless other technologies engage in wireless gladiatorial combat and cause too many customers to return their IoT gadgets because they “don’t work”.

Again, this has very little to do with stealth. 434MHz – that Dash7 uses – has as many issues with contention as 2.4Ghz. In the UK, there are many more poor quality, untested, non-standards compliant transmitters in the 434MHz band than there are on 2.4Ghz.

Access control. Stealthy endpoints make it easier to control access to the endpoint by limiting who can query the endpoint.

Again, absolutely no link between stealth and access control. If you limit access to something, you limit access to it.

Storage. Less data being transmitted reduces storage costs. Storage vendors, on the other hand, love the non-stealthy IoT status quo.

Again, what? If your endpoint decides to ditch data, then your cloud can also decide to ditch data. This has nothing to do with stealth of the wireless protocol – it’s about volume of data at the application layer.

At this point, I’m bored of this. These articles are utter crap.

 

 

 

Straight Pride UK having a shot at the Streisand effect

A blogger called Oliver Hotham emailed a set of questions to an organisation called “Straight Pride UK”. They responded, Oliver blogged about it, and then was served with a DMCA takedown notice. WordPress generally just give in to these.

Oliver decided he didn’t want trouble – WordPress said his whole blog would be suspended if he posted it again. Ian at Technovia made the content available again. I’m mirroring it here. It would be great if more people could do the same – the more people that share this, the less can be done.

Oliver’s original post

There has never been a better time to be gay in this country. LGBTI people will soon enjoy full marriage equality, public acceptance of homosexuality is at an all time high, and generally a consensus has developed that it’s really not that big of a deal what consenting adults do in the privacy of their bedrooms. The debate on Gay Marriage in the House of Commons was marred by a few old reactionaries, true, but generally it’s become accepted that full rights for LGBTI people is inevitable and desirable. Thank God.

But some are deeply troubled by this unfaltering march toward common decency, and they call themselves the Straight Pride movement.

Determined to raise awareness of the “heterosexual part of our society”, Straight Pride believe that a militant gay lobby has hijacked the debate on sexuality in this country, and encourage their members, among other things, to “come out” as straight, posting on their Facebook page that:

“Coming out as Straight or heterosexual in todays politically correct world is an extremely challenging experience. It is often distressing and evokes emotions of fear, relief, pride and embarrassment.”

I asked them some questions.

First of all, what prompted you to set up Straight Pride UK? 

Straight Pride is a small group of heterosexual individuals who joined together after seeing the rights of people who have opposing views to homosexuality trampled over and, quite frankly, oppressed.

With the current political situation in the United Kingdom with Gay Marriage passing, everyone  is being forced to accept homosexuals, and other chosen lifestyles and behaviours, no matter their opposing views. Straight Pride has seen people sued, and businesses affected, all because the homosexual community do not like people having a view or opinion that differs from theirs.

Are your beliefs linked to religion? How many of you derive your views from scripture?

Straight Pride aims are neutral and we do not follow religion, but we do support people who are oppressed for being religious. Only today, Straight Pride see that two homosexual parents are planning to sue the Church because they ‘cannot get what they want’. This is aggressive behaviour and this is the reason why people have strong objections to homosexuals.

You say that one of your goals is “to raise awareness of the heterosexual part of society”. Why do you feel this is necessary? 

The Straight Pride mission is to make sure that the default setting for humanity is not forgotten and that heterosexuals are allowed to have a voice and speak out against being oppressed because of the politically correct Government.

Straight Pride feel need to raise awareness of heterosexuality, family values, morals, and traditional lifestyles and relationships.

Your website states that “Homosexuals have more rights than others”. What rights specifically do LGBTI people have that straight people are denied?

Homosexuals do currently have more rights than heterosexuals, their rights can trump those of others, religious or not. Heterosexuals cannot speak out against homosexuals, but homosexuals are free to call people bigots who don’t agree with homosexuality, heterosexuals, religious or not, cannot refuse to serve or accommodate homosexuals, if they do, they face being sued, this has already happened.

Straight Pride believe anyone should be able to refuse service and speak out against something they do not like or support.

There is a hotel in the south of England, called Hamilton Hall which only accepts homosexuals – if this is allowed, then hotels should have the choice and right to who they accommodate.

What has been the response to your campaign?

The response to Straight Pride’s formation has been as expected; hostile, threatening, and aggressive. Homosexuals do not like anyone challenging them or their behaviour.

We have had support from many people saying that if homosexuals can have a Pride March, and then equality should allow Heterosexuals to have one too. After all, the homosexual movement want everyone to have equality.

Why would you say that heterosexuality the “natural orientation”? 

Heterosexuality is the default setting for the human race, this is what creates life, if everyone made the decision to be homosexual, life would stop. People are radicalised to become homosexual, it is promoted to be ‘okay’ and right by the many groups that have sprung up.

Marriage is a man and a woman, homosexuals had Civil Partnerships, which was identical to Marriage with all the same rights, they wanted to destroy Marriage and have successfully done so.

If you could pick one historical figure to be the symbol of straight pride (just as figures like Alan Turing, Judith Butler or Peter Tatchell would be for Gay Pride) which would you choose?

Straight Pride would praise Margaret Thatcher for her stance on Section 28, which meant that children were not  taught about homosexuality, as this should not on the curriculum.

More recently, Straight Pride admire President Vladimir Putin of Russia for his stance and support of his country’s traditional values.

How do you react to anti-gay attacks and movements in Russia and parts of Africa? 

Straight Pride support what Russia and Africa is doing, these country have morals and are listening to their majorities. These countries are not ‘anti-gay’ – that is a term always used by the Homosexual Agenda to play the victim and suppress opinions and views of those against it.

These countries have passed laws, these laws are to be respected and no other country should interfere with another country’s laws or legislation.

We have country wide events which our members attend, and ask people their opinions and views, on such event at Glastonbury this year was very positive with the majority of people we asked, replied they were happily heterosexual.

For the record, Straight Pride did not respond to these questions:

“Pride” movements such as Gay Pride and Black Pride were making the argument that the stigma against them meant that proclaiming their “pride” was an act of liberation from oppression. Can being heterosexually really compare?

A problem that Gay rights activists cite is the issue of bullying, and the effect this can have on young LGBT people. Do you think a similar problem exists with straight children being bullied by gay children? 

I will obviously add to this if they do respond.

You can follow Straight Pride on Twitter here and see their Facebook page here.

A remedy to the anti-NHS bile…

Last year, I was suffering from serious anxiety around my infant son getting ill. It was stopping me sleeping and eating. I had a couple of panic attacks. I ended up speaking to a psychotherapist to help me control these feelings. In retrospect, it feels like a part of this anxiety centred around a lack of confidence in the medical help available to us. My confidence had been eroded by the media picture of the NHS.

Day after day I see the NHS being attacked at every level. The people running it are useless. The nurses lack compassion. The doctors can’t speak English. It goes on and on.

A big thing that helped my anxiety was following doctors, nurses, paramedics and other healthcare professionals on twitter. That might sound trite, but I really think it helped. I could see that there are a huge number of people in the NHS who are really passionate and involved in their jobs.

This post is probably just going to become a hugely involved version of a “follow Friday”, but I thought I would highlight some of the best NHS twitter accounts out there. If I have missed you, I am sorry. If I have got your title a bit wrong, also sorry!

  • @DrRanj – a paeds doctor who does a lot of really good TV and media work. Comes across as personable and honest.
  • @Dr_Ayan – a GP who is also the BBC World News medical expert. Heavily into evidence based medicine, never afraid to say what he means.
  • @kiershiels – peads doctor who you might remember from the first series of “Junior Doctors” on the BBC. Clearly passionate about his work. The most middle class man in the UK.
  • @SepsisUK – The UK Sepsis Trust – the account is run by Dr Ron Daniels, an ITU doc. Always willing to engage. Sepsis kills more than 37k people each year in the UK, and for each person it kills it can destroy another person’s life. I urge everyone to take a look at what sepsis is and how to recognise it. Don’t rely on doctors and nurses to pick it up! My partner was admitted to hospital with suspected sepsis and because she was treated promptly and correctly, it was nipped in the bud.
  • @DoctorChristian – I might not always agree with him or his shirts, but he does an awful lot to make the public aware of problems and how to solve them.
  • @DrCJohn – anaesthetist who seems to need to learn something new each day. Less celeb that the ones above, but just as involved.
  • The paramedics – @meditude@HewettChris, and @StretcherMONKEY. These three accounts couldn’t be any more different to each other, but there is no doubt they all have the same goals.
  • And finally, the ambulance control room, @AmbControl999. Honest and informative.

Give these guys a go. Or any of the other NHS staff on twitter. I’m almost certain it will leave you impressed rather than saddened.

Don’t blame what is happening to the NHS on these guys – blame it on our ridiculous government.

Thanks also has to go to the West Middlesex UCC which has seen me and my son several times, and seen us quickly and given us the best possible standards of care.

 

 

Another muddled, seriously misguided petition

Petitions seem to have become the de facto form of protest, somewhere between tutting and writing a strongly worded letter.

So often they are badly written, require previous knowledge of the situation, and don’t have a clear goal.

This morning, a hot topic of conversation has been how Twitter deals with reports of abuse, in relation to alleged rape threats made to @CCriadoPerez. Of course – a petition has started.

EDIT – the petition has been edited to add something about changing T&Cs. This is a step in the right direction, I still feel the petition is very poor. I also really dislike the fact you can edit petitions on change.org – it seems dishonest to let 8k people sign something and then alter it. The screenshot still stands below.

 

Petitions...

I really don’t want to comment on the alleged threats themselves, but the response and what people expect of Twitter.

Why direct this at Mark S Luckie?

The first thing I find really odd is how Mark S Luckie has become part of this issue. He is the Manager of Journalism and News at Twitter. He isn’t involved with how abuse is reported or dealt with on Twitter. I’m not sure what people expected from him. It seems unfair to direct this campaign towards him.

After many tweets were directed at Mark, he changed his account to be protected, preventing most people from seeing his tweets.  I think it would be massively unprofessional for him to personally comment on the situation. At most he could direct people towards the proper channels for reporting abuse.

Oddly, some have interpreted Mark’s actions as “twitter says it’s not their problem”

I really don’t see how one employee protecting their account says this. The big issue here is how Twitter deals with abuse in general, not how one employee has handled one particular instance of abuse. Conflating the two seems petty.

Zero-tolerance? You are joking?

How can a multi-national micro-blogging platform with half a billion users and millions of tweets a day adopt a zero-tolerance policy on abuse?

Just think for a second about how this could possibly work.

Which country’s laws would Twitter uphold? What is perfectly fine in one country isn’t in another.

What happens if someone calls you a name you don’t like? Report it as abuse!

Someone was mean about a blog post you wrote? You can shut them down by reporting it as abuse.

Zero-tolerance means you would need to side with people who are easily offended and uphold laws in countries where free speech is oppressed. This isn’t what Twitter is about.

It’s just not possible or desirable to adopt a zero-tolerance stance on abuse. By aiming for a ridiculous goal you are never going to achieve it.

Totally missing the point

Twitter has procedures for reporting abuse already. I’ve used them and they worked for me.

I get the impression they don’t always work. It seems like the abuse team is often overworked. This is the real issue –  how Twitter actually deals with reports of abuse.

@CCriadoPerez seems to have managed to find out how to report abuse and she has also contacted the police. I would hope that both Twitter and the police handle the reports appropriately.

If @CCriadoPerez doesn’t get an appropriate response, then there is a problem. I don’t think enough time has passed to pass judgement on this.

I am not sure how adding an abuse button to tweets is going to solve any problem. If the abuse in a tweet is serious enough to warrant getting a member of Twitter staff to investigate, surely it is worth your effort to go the page where you need to report abuse? Inundating the abuse team with single-click abuse reports is not going to help in any way.

Hypocritical locksmith community still promoting security through obscurity

Locks and building security is a funny business. The fundamental goal of a lock is to only let someone with a certain key open that lock. But they are mechanical devices, so there will always be weaknesses and ways to open them without the key – that could be as simple as “carding” the bolt (bypassing the lock altogether) or as complex as single pin picking the cylinder.

The concept of a truly unpickable lock is a fallacy. After all, if a key can open it, something that assimilates the key can also open it. That’s all that lock picking is – assimilating the key. All we can do is make the lock stronger or more pick resistant. This has been going on for years – 100 years ago simple warded lever locks were common, whereas now most house front doors will have a deadlocking nightlatch as well as one or more 5-lever mortise locks incorporating anti-pick features. The silly thing is there is nearly always a window that can be broken right next to the door.

Quite frequently it turns out that locks have design flaws, which make the lock far more vulnerable than it should be. Examples of this are padlock shims, comb picks and the now legendary Kryptonite ball point pen problem. What’s the best policy in these situations? Keep it secret so that not even the bad guys know about it? Or tell everyone so that they can make an informed decision about upgrading their locks? The locksmith community has always promoted the security through obscurity route. Whether this is for the best or not, I don’t know.

One such recent vulnerability has been termed “lock snapping”. This has been known about for years. Most UPVC doors use euro profile lock cylinders – these are oval shaped cylinders which contain just the lock itself, and they are inserted into the door inside of a locking mechanism along with a handle and deadbolt. This allows the user to chose what lock to fit to the door, and makes it easy to replace.

And there is the problem – the cylinder is removable from the lock, and hence vulnerable to attack. There are two basic methods. One is to grab the lock with a pair of mole grips (locking pliers) and bend it backwards and forwards until it snaps in the middle. The other is to drive a hardened steel screw into the keyway, and then you can pull the entire cylinder out, sometimes using mole grips, and sometimes using a slide hammer. This can take less than 30s with practice.

Manufacturers have responded in several ways:

  • Hardened steel escutcheons prevent the lock from being grabbed onto. Generally you can still pull the cylinder with a screw.
  • Sacrificial outer sections snap off first, leaving the locking mechanism intact in the middle (Mul-T-Lock Break Secure). Again, vulnerable to the screw.
  • A laminated steel plate strengthens the cylinder (the CISA Astral range). These can still be snapped.

But as predicted, the locksmith community want to keep this under wraps. I can’t work out why – there are already a large number of burglaries that are carried out using this as the method of entry – the bad guys already know how to do this. Why shouldn’t people be made aware of a problem with their locks that render them practically ineffective?

Last week, a representative from Avocet locks turned up on one of the locksmith forums. He challenged anyone to come to their workshops and try to attack one of their new locks which are supposedly not vulnerable to snapping. As part of this, he posted several videos on youtube showing successful attacks against Cisa and other locks.

These videos seemed to annoy the locksmiths, despite the fact that there are loads of other videos available, and it’s pretty obvious how to do it anyway.

The best bit is, this forum is associated with a company that sells bump keys to anyone who wants them. I detect a certain level of hypocrisy here.