[conspire] Bicycle theft: good metaphor for computer/network security

Rick Moen rick at linuxmafia.com
Fri Jul 28 13:01:34 PDT 2023


Offlist response to my "Bicycle theft: good metaphor for
computer/network security" posting on the Surrey LUG mailing list.

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Fri, 28 Jul 2023 12:33:21 -0700
From: Rick Moen <rick at linuxmafia.com>
To: John W <john at johnwash.co.uk>
Subject: Re: Bike locks
Organization: If you lived here, you'd be $HOME already.

Quoting John W (john at johnwash.co.uk):

> I looked at your X1 recommendation.  Yikes.  150 quid!

Yes, £150 is breathtaking.  What can I say?  I really hate bicycle
thieves with just that much fervour, and want to be able to leave my
ancient Trek 1400 road bicycle locked up at a trailhead for five hours
while I do a long day-hike, without worry that even a determined and
well-equipped bicycle thief, working without interruption, would steal
my ride.

In US$, that X1 cost me $179.99 plus shipping.  (Surprisingly, it is
available only directly from Swansea, Wales.)   That was spendy enough
to give me pause for many months, but I had just enough doubts about the
modern security of my 2005 Kryptonite Evolution that I wanted to buy
_something_ current, therefore I stretched my budget to defeat even
angle grinders.

(I expect a personal letter of thanks from The Right Honourable Jeremy
Hunt, imminently.)

The disadvantage is obvious, but the advantage is that I'm "done" with
acquiring burglar-protection for that and any future bicycle, or e-bike,
or even motorcycle, as long as I'm not foolish enough to lock it to
something easier to cut through than the lock is.

You make a plausible argument that any thief possessing a
battery-powered angle grinder would logically use it for higher-value
heist.  _But:_  Petty criminals tend to specialise, and the sunk cost of
an angle grinder with ablating disc / cutting wheel is easily within the
reach of petty criminals.  I see cordless (mains-free) models for US $60
locally, and a set of three cutting wheels for $5.  So, call that £51
plus VAT, as the price of admission for an enterprising specialised
bicycle thief.  Which, I note, is also just about the cost of a pair of
bolt-cutters.

And, the thing is, bicycle thieves using cordless angle grinders are a
known, credible threat.  For thieves, the tool has the advantage of
being less awkward and probably lighter to tote around than a folding
42" pair of bolt-cutters.  However, context matters:  The bolt cutters
often wins by being quiet and not giving off a shower of sparks.
Therefore, the thief will probably haul out his/her portable angle
grinder _only_ in a scenario of concealment & lack of scrutiny, such as
a bicycle rack at school premises afterhours, or some attachment-point
in a car park, where a bicycle was unwisely left locked overnight, or
some other contingency where five minutes of noise and sparks aren't a
problem.

Thieves every day take their chances attacking D-locks in front of food
markets with people walking nearby, but only an implausibly bold thief
would chance that same risk scenario with the very loud noise output and
attention-grabbing spark emissions of an angle grinder.

Just saying:  If I owned that e-bike, I would save up 150 quid.

The two other locks widely praised for being the _only_ D-locks to
defeat angle grinders are likewise British, being the model X3 from
Litelok and Hiplok's pioneering D1000 (both even more spendy and
heavier).  So, score three points for British engineering!

All three locks share the trait of new materials science making the
metal much harder than in prior D-locks.  And we know this works, not
because of sales claims, but because of independent, competent testing.

(To be specific:  Testing of the X1 with, if memory serves, stronger
mains-powered angle grinders, under ideal attack conditions in a shop
with the lock in a vise, broke three cutting wheels, at which point, the
tester reasonably concluded "OK, this lock can be cut through
eventually, but only by breaking many cutting wheels over a long attack
period, which is not an economic proposition for the thief, so this
is as close to angle-grinder-proof as makes no difference."  The X3
and D1000 just laughed at such determined attack:  For a valued
motorcycle, I would get the X3.)

Most bicyclists, if shopping for a lock, don't think much at all:  They
buy what the shop has, what a friend recommends, or at most what some
magazine of questionable objectivity and competence calls good enough 
and that is within a pre-decided budget.

Slightly more thoughtful and wary shoppers think "I'll buy something
with an impressive brand like Kryptonite that might deter thieves, and
that looks and feels heavy" (which idealy might deter, or failing that,
defeat thieves), buy accordingly, and hope for the best.

The problem with that is that some thieves know their craft, and see
past brand names and appearance/heft.  Actually, let me revise that:
It's very similar to the situation with spammers.   Professional
spammers are overwhelmingly neither smart nor capable, but alas they 
purchase idiotproofed toolsets and canned techniques and target lists
from a much smaller group of smarter, cannier people.

Analogously, although essentially all bicycle thieves are losers with
chilly-room-temperature IQ (else, why try to earn a living stealing
bicycles), a subset of them are coached in their trade by people who are
skilled in that craft, people who know that Kryptonite is just a brand
name, and teach them what locks and lock-usages are vulnerable, how to
attack them, and how to get away without being caught.

And that underlies why "buy a heavy, massive-looking lock" is a bad
tactic:  It is undermined by uncertainty over how hard the metals and
coatings are.  Combined with the corrosive effect on product quality
caused by shopping solely for low price, the end-result is predictably
bad.  (Coincidentally, I call that effect "Moen's Law of Bicycles".
Please see:  http://linuxmafia.com/~rick/lexicon.html#moenslaw-bicycles)

Thus:  _My_ recommendation for understanding bicycle security is the
same as for understanding computer/network security:  Think the way the
bad guys do; learn to see the world as they see it.  And, in 2023, the
best way I've found to do that, concerning bicycle security, is to watch
YouTube videos where determined people do real-world testing of bicycle
security mechanisms, simulating the attack the bad guys do.  I have
found that very enlightening, and a full antidote to sales talk and
wishful thinking.

Incidentally, I really _love_ the idea of the Skunklock (a local San
Francisco innovation), but it's as expensive as the X1, and is 
actually defeatable even without an angle grinder:  The thief who cuts
into it will be lastingly nauseated and regretting both his/her attack
and probably his/her entire life to date -- but your bicycle will still
be soon gone, thereafter, ridden by a thief who will probably never
attack a Skunklock a _second_ time.

https://www.skunklock.com/


----- End forwarded message -----



More information about the conspire mailing list