Recently I saw tweet by @gsuberland that blew my mind. Not because it was special but because it was common. He tweeted a photo of a NY Post article on a particular key that was been sold on eBay for $8. This key allegedly can get you access to subways and elevators in NY City. Scary right? it gets worst.
When you analyze this, its wrong in so many ways that its scary.
- The NY Post publishes a photo of the real key, a Yale 1620.
- @gsuberland tweets about it and gets more that 770 RTs. (at the time of this post)
- In the thread it gets disclosed that this is a Yale large pin key
- … and later on the same thread some one tweets a high resolution photo of the key in question from the NY Post website.
Ok, this guy accuses the NY Post of been morons for publishing a photo on the paper and he is right, but his accusation unleashes a series of events that multiplies that error by X factor. Just add the NY Post print circulation + NY Post Web Traffic + The Followers of every one who retweeted + the 5 people who read my blog). That’s millions + 5, and that’s a lot.
The article in question is from September 20, 2015, that 5 months back, but after reading the articles and tweets (if you believe them), this is old news. Someone claims that way before the articles he got a 1620 key from a friend. But knowing first hand how things move in government a I can safely assume that this problem will persist long after everyone on the twitter-verse forgets about it.
Finally the web post of the NY Post tells that eBay stopped selling the key. Hooray! … NOT, well actually a quick search on eBay confirms it (i could not find it). But now its EVERYWHRE! With the information on the print + web + twitter we can get a Yale blank and make one, or just take one of the high resolution images and convert it to a 3D model (youtube is your friend) and just print it. NO eBay, NO underground connections and NO special abilities.
This is a prime example of how OSINT works and while many people have the best interest at heart, the road to hell is paved with good intentions (if you believe in that). We have to be careful with the information we put out. I believe in responsible disclosure, but I also know sometimes the ones responsible just don’t care.
… and thats how you can get a skeleton key using open source intelligence.
jq – 2016