- Feature Articles
- CodeSOD
- Error'd
- 
                
                    Forums 
- 
                Other Articles
                - Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
 
 
            
Admin
For those wondering why the owner doesn't just give the Realtor the key, the answer is that the house may be shown by more than one Realtor, and they may not even all be from the same company.
Of course, that means that more people know the combination, which makes lock boxes even more WTF-y.
Admin
Admin
The Realtors(TM!) in my area don't use boxes with any buttons. Each REALTOR(TM!) has a small hardware device with a ten digit keypad that they enter a unique number into. They then put that device at the bottom of the lockbox and it opens.
Admin
I know when I was house hunting about 6 years ago, the trend in hardware seemed to be a lock box without a keypad/dial/etc on the front. My realtor had a small remote with some contacts on the back - she entered the code and snapped the "remote" into the lock box and it opened. So even if you knew the combination, unless you had one of the remotes (which I assume aren't given out to every Joe Schmoe) you couldn't open the box.
Admin
Dang, beat me by 3 minutes :)
Admin
Yeah, because we see Real Estate agents reading dailywft all the time.
Admin
I do not find it ethically unquestionable. If the lock can be broken easily, it should not be on the market.
Admin
@Frank The same reason as any other security flaw announcement.
People can and will break in easily, yesterday the realtor could say. "It's not our fault we fitted a super secure lock box - what more could we do, liable us?"
Today you can point out that the brightest (or most bored minds) on the internet have shown that the lock boxes are about as secure as your sister's "My Little Pony" diary lock. And so it's the realtors fault for using one.
Admin
Seriously? If someone wants to get into a house to steal something they will, lock box or no lock box. Usually a good kick to the door near the door knob will get you in. Or a screw driver wedged into the striker plate(I have locked myself out of many doors which is why I know this). Dead bolts are another issue all together.
This lock box wouldn't be the same as Al Gore's lock box would it? (Senseless American Political Humor in case you were wondering)
Admin
This was my first VB-project ever! I'm a bit embarrassed to show it but to my defense it was fifteen years ago...
If Len(Text1.Text) = 4 Then a = Mid(Text1.Text, 1, 1) b = Mid(Text1.Text, 2, 1) c = Mid(Text1.Text, 3, 1) d = Mid(Text1.Text, 4, 1) Label1.Caption = a & b & c & d & a & b & c & a & d & b & c & a & b & d & c & a & b & a & c & d & b & a & c & b & d & a & c & b & a & d & c & b & aAdmin
You don't know much about locks, do you?
Admin
I've never seen anyone bolt a box like this to the wall. Making large holes through the exterior wall in order to fit it seems a bit extreme.
Admin
It's a well studied problem already. Hint google "de Bruijn sequence".
Admin
de Bruijn graph
Admin
With all the cycles spent checking that the sequence does not repeat, I would bet that a random number generator would be just as effective.
BTW, the bonus points problem says 1-2-3-4-5 would not cover 1-2-3-5. I think it should read 1-2-3-4 instead of 1-2-3-4-5
Admin
This isn't a practicable way to break into a house anyway. Even a cursory glance shows that the number of keypresses to crack the lock is 10003 < n < 40000, and I'm risking a guess that if you showed up at a house with 20 printed out pages of numbers and spent 6 hours pressing the buttons near the door, someone might get a clue and call the police. Especially when you can instead apply a crowbar to a backdoor and be in the house in 15 seconds instead.
Admin
Obviously alot of people here have never bought or sold a house.
The selling agent and the buying agent are not always the same person. If your agent finds a house that suits your criteria on MLS he/she will make an appointment with the agent with whom the house is listed for a viewing. That agent calls the homeowner with the date and time (so they will be away from the house) and has them leave the lockbox on the door or they go to the house and leave the lockbox if the house is vacant or the homeowner is not around. Your agent is provided with the lockbox code. The listing agent is typically not (rarely ever) present at these walk-throughs. If they are, they usually stay outside until you are done.
This is how it was done both times I bought (and the one time I sold) a house.
Admin
Assuming perfect overlap (meaning all numbers are used in 4 different combinations) you would still need 10000/4 = 2500 characters to compile a string to cover all possible combinations. Not something the average burglar would want to enter by hand and that is the best case scenario which is obviously much shorter than the actual solution.
Admin
Admin
I've been looking at houses recently, so I can say with near certainty that the combination lock boxes aren't really used much any more. Every house we go to has an electronic keybox that unlocks using an electronic key that is unique to our realtor. The box also records what realtors have opened it and when, and our realtor gets a ping back from the listing agent later...
I'm not saying that the new boxes are secure. They're probably riddled with security problems, especially given the large number of electronic keys that will open them, and the open question of the communication between key and box and whether or not that can be sniffed or replicated... They're just not insecure in this way.
Admin
A typical lockbox these days is an electronic device, with a little MCU inside, hooked up to a solenoid and an IR receiver. You use a remote to unlock it. I doubt those are much safer though, only require different expertise to figure out. I'm pretty sure the current ones are not very hard to bypass, and will stay that way until their weaknesses become publicized.
Alas, all of that is kinda moot if what the lockbox protects is easier to bypass than the lockbox itself. Most residential keys, especially those of low-end distressed properties, can be picked in half a minute or so.
For those who don't know: The lockbox design is such that you don't need to have it open in order to unlock the door's key lock. In fact, the lockbox stays latched onto the door handle until the property is delisted (usually: sold). The key is stored in a little drawer inside of the lockbox.
Admin
It would seem to me the more unethical thing would be to let people go on believing they're secure when they're actually just a robbery waiting to happen. Sometimes you have to slap someone in the face with reality before they'll do the right thing. There was a show called "It Takes A Thief" on Discovery where ex-criminals would demonstrate to homeowners just how easy it is to break into their homes and find their hidden (and not-so-hidden) valuables. I think my favorite was when the family's dog jumped in the getaway van with the thieves.
Admin
Admin
Hasn't that question been asked several times before, eg. in the WTF Forums?
Admin
I my area (Columbia, MO), the Realtors have advanced lock boxes that use wireless communications to open the boxes. The Realtors all carry blackberries which contain some kind of code to open the lock boxes. The agent just types some stuff in (not sure what) to the blackberry and a few seconds later the lock box opens.
Admin
What part of 'brute force' don't you understand? Besides, checking and not checking would still be on the same order of magnuitude.
I'm not even sure what your point is here. This method just produces all sequences in a range and appends them if they don't already exist.
Where's your code, mr. genius? You even have the advantage of others posting the efficient way of doing this now. So let's see it.
Addendum (2010-03-31 12:48): BTW- You could micro-optimize my original method by using a hash table and check for the existence of a string instead of doing a string search.
Admin
It never fails to amaze me how often the guy who says "maybe this isn't such a good idea" gets ridiculed and scorned. The rational used to justify the abuse usually boils down to variations on the themes of "the bad guys already know all this anyway" and "security by ignorance never works; we're really empowering the masses by telling them about a vulnerability". I say bollocks to both arguments.
It is almost certain that "the bad guys" do in fact already have the knowledge being discussed. The thing is, as is discussed in this thread, they usually also have other knowledge/tools that are more efficient; using this example, it's pretty unlikely a thief going to stand there keying in ~10K numbers rather than using a lock pick or a brick. The problem arises when some piece of knowledge lowers the bar for what determines a "bad guy". If you don't think there is a population of bored kids out there who see stuff like this and say, "Hey! I didn't know that's how those locks worked! Let's give it a try, just for kicks!" then you're a fool. Now, instead of just a (relatively) small number of actual criminals, the group of "bad guys" grows exponentially to include bored kids and casual vandals. And yes, I know that the chances of a bored kid having the patience to key in all 10K numbers approaches zero, but we also know that the lock will open long before exhausting the set of all possible combinations, especially with some of the other techniques already discussed in the thread.
I also disagree with the "security by ignorance never works" argument. This website is a prime example of ignorance in action. Do you think most of the examples we see here everyday are the result of anything but ignorance or stupidity? The schmucks responsible for them certainly wouldn't have chosen to do some of the ridiculous things we all chuckle at if they'd known a better way. What's more, simply knowing that a thing is possible is often the biggest obstacle to getting something done. Would our hypothetical bored kid known about the limitations of these locks or how to use the De Bruijn sequence to brute force the key entries? Bloody unlikely, I think. However, the very sites that host these "hey, didja know that ..." type of discussions are often the same sites our bored little nascent troublemakers often hang out on. Just because "security by ignorance" doesn't ALWAYS work doesn't mean we need to do our best to ensure that it NEVER works.
Finally, the "we're educating people to the problem" justification is complete and utter BS. How, precisely, to you think people are going to be educated? From reading about it on TDWTF? <sarc>Yeah; right!</sarc> They'll learn about it when their neighbors’ house is vandalized or they come home to find all their stuff gone and the police tell 'em that entry was gained by someone getting the key out of the lock box. Thanks, but that's not the way I want to be "educated".
</rant>This may seem like a strident reaction to a fairly innocuous situation, but I'm really tired of people being mocked and scoffed at for daring to raise a question about the wisdom of doing something.
Let the ad hominum attacks commence!
Admin
you sure you have the same brand? I have one which looks about the same, but I tested it: if you punch a number NOT in the combo, it won't open. It is true that order doesn't matter, so 1-2-3 is the same as 2-1-3 and so on, but 1-4-2-3 won't open it.
Admin
Because even if the house is empty, you still have electrical wire (copper) and copper tubing. Both can be turned in for recycling and earn some decent money.
Admin
The easier way to attack a lock like this involves a sharp smack with a hammer. When I was house hunting it always seemed to me that these devices were quite flimsy in construction.
Admin
Admin
WoW, we had almost the same history told at a lecture of discrete mathematics - it appeared, that some time ago we had key lock boxes working in the same pattern in our faculty building (IT one ;D). Fortunately, they changed them to ones that reset after pushing 4 digits (;
Admin
Whether it's ethically questionable or not, no one is going to use it. There are 10,000 different combinations. Breaking into a 4-digit 10-key lockbox by trying every combination would average 5,000 tries, or 20,000 keypresses, using an easy algorithm of adding 1 each time.
A maximally efficient algorithm (and I doubt there is one) could reduce this to exactly 1/4th, meaning you'd have 5,000 keypresses on average (5,000 tries, again, but only 1 keypress each time)... but you'd be reading each number off of a page full of 10,000 numbers. No one would do that, it would be far too easy to miss a number, lose your place, read the wrong line, press the wrong button. Any mistake at all would basically mean you'd have to start over or risk missing the opening combination. And you might have 1/4th the keypresses, but it wouldn't take you 1/4th the time, since the attempt to open it is the lengthy part. It's not worth the loss of the ability to remember what number you were on.
So it's just a theoretical exercise, the practical implementation isn't useful at all.
Admin
The correct place to direct your anger would be with your realtor for using such an insecure system.
Admin
Admin
^This. The ones I've seen seem to be all plastic.
Admin
There are other technologies that are used now as well. They are relatively inexpensive to implement and are resuabe. These tech not only make it impossible to open with out having a user identifible pass key they track who opened it so if something happens there is a track back
Admin
Look up bump keys - they're simple to make and only require that you know what shape key blank is used. With practice, you can open a door quickly enough that a casual observer would think you were using a real key
Admin
Personally, I don't consider this lock box system flawed at all.
Considering that repetitions are allowed, you have a total of 10^4 possible combinations. In the worst-case scenario, some dude would have to input 10000 numbers in a row to break into your house....
IMO, a crowbar is more effective.
Admin
First, it's ad hominem.
sigh
If a person cannot be bothered to properly educate themselves with their surroundings to at least some degree, don't expect much compassion from others. If they are content with knowing less-satisfactory about stuff, adjust expectations accordingly.
IE-You use a pipe cleaner that eats away at your pipes. You then bitch about having to replace them. You got what you had coming.
Admin
Agreed. This is no more ethically questionable than saying "you can break a glass window with a reasonably sized stone." And that would take a lot less time than brute forcing the key lock box.
Admin
I'd like to point out that this can also be used to open car doors with the combination locks on the door handles. Especially those with five buttons, in which each single button shares two numbers: (1|2) (3|4) (5|6) (7|8) (9|0).
Admin
Well played, D-Coder, well played!
(Grizz frantically searches for his Snappy Comebacks for Dummies book. As usual, he'll find it tomorrow.)
Admin
This reminds me of a brute force attack that a college friend used after a night of drinking.
As he was stumbling across campus, he noticed a bike locked with a very unique lock. It had 5 levers, each of which had 3 positions. He quickly calculated that the exact number of possible combinations was 240 (remember, he had been drinking!) and sat down to brute force it. He said it only took him 2-3 minutes even with his fingers not following directions very well. So, he stole the lock! (remember yet again that he had been drinking) Hopefully, the bike owner used the bike before someone came by looking to steal the bike.
:-( I had my bike stolen from a nearby bike stand, but they just cut the lock over a long holiday weekend. The brute-force-a-la-bolt-cutters algorithm.
Admin
Many of these lockboxes have been replaced with electronic locks that require the real estate salesperson to physically place a RFID dongel near the box for it to unlock the box. The houses you mentioned here, many times have the simpler box, described here, requiring the entry of the code. Some agents give the code to trusted (perhaps unwisely) clients have access to those boxes.
Admin
Its not questionably ethical, it is patriotic. It is just like discussing any vulnerability. We need them because there are vulnerabilities and if we ignore them, we only get burned by ';DROP DATABASE;
There are better locks out there - with fingerprint scanners or RSA tokens. The amount of liability is proportional to the risk and is balanced by the cost of defending/repair. While a worst-case is to burn the house down, a much more reasonable case is that someone would rip out all the copper pipes so you multiply the crime factor against the cost of copper pipes to determine your lock's cost.
One rule not mentioned is you can't repeat the digit.
Admin
I think you may grossly underestimating the length of the resulting string.
I am pretty sure it going to be on the order of thousands of digits.
Admin
Admin
Wouldnt this be just a loop from 0 to 9999 zero padded to 4 digits?
Admin
If I understood correctly, there are a couple of errors in the text:
Taking it a step further, the sequence 4-8-2-9-5-1-4-5 would cover the codes 4-8-2-9 8-2-9-5 9-5-1-4 and 5-1-4-5. -> and 2-9-5-1.
write a function that outputs a sequence numbers which cover all combinations within the sequence. -> to write a sequence is trivial, shouldn't it be "write the shortest sequence which covers all combinations"??.