Each of us here at the GFZ has a niche that we get into.
Miguel is our security camera guy. AWA is our digital security guy. I am our physical security guy.
I have been following the Liberty Safe kerfuffle and wanted to give my opinion.
To do this accurately, I’m going to break this down into two separate issues: security and policy.
First, security.
I have a couple of Fort Knox safes. When I bought them, I registered them with Fort Knox. In my paperwork packet is information about how Fort Knox keeps the combination for my S&G mechanical dial lock. If I ever forget my combination, I can provide my serial number, proof of purchase, and other information on a notarized form, or on law enforcement letterhead and they will provide the combination to a licensed locksmith to come and open my safe.
In the event that I die, my inheritors can provide paperwork, including proof that they inherited my safe, and Fort Knox will dispatch a locksmith to open the safe and give them the combination.
Across the board, it seems that every US gun safe manufacturer has a similar system and policy.
When my dad died suddenly, we had to go through all sorts of rigamarole to get access to his bank accounts, credit cards, safety deposit boxes, internet passwords, etc.
A safe is no different. I’ve seen some people say online, “Drill the safe.” That’s stupid.
My safes are very expensive. A safe has value in and of itself, beyond its contents. Once a safe is drilled, it’s dead. It’s been irreparably damaged. My lawful inheritors should be able to open my safe without having to destroy it and its value.
As much digging as I have done online, I have not come across a single incident that involved a criminal opening a safe by getting the combination from the manufacturer.
It’s a ridiculous premise if you think about it. A mechanical lock has a combination. Digital locks apparently have a master override code. I would assume that the master code is specific to the lock and not universal to all the locks of a particular make and model. If your garage door opener has a unique code, so can your safe.
A thief would have to know the location of your safe and get its serial number from inside the safe, and then in an act of identity theft that includes a public notary, request your combination.
As for the storage of that information by the manufacturer, that falls under corporate security, with layers and layers of protection to keep customer records safe.
Your $2,500 Liberty safe from Cabela’s, sitting in your basement in your suburban home, is not going to get targeted to that degree. You have to worry about the local hoodlums with crowbars who want your stuff to sell for drugs.
If your safe is opened with the combination, I can guarantee it’s because you wrote it down somewhere and they found it, or your bitch ex-wife told someone the combination (that was the only verifiable anecdote of a guy who had his safe burglarized with the combination).
The people online who are going nuts over the idea that their safe has a backdoor master code are being paranoid.
Let me draw you this parallel.
When I got my Mustang, it came with one key fob. My fob got damaged and didn’t work anymore. I had to have it towed to the Ford dealership. There, I had to provide my license, registration, proof of insurance, and proof of ownership (car loan documents) so the dealer could contact Ford corporate and with the VIN, order a new key fob that would work with my car.
Imagine if I took my car to Ford and they said, “We don’t keep that information. Those key fobs were the only ones in existence for your car. Your car is effectively totaled, you’ll never get it started again.”
That’s fucking stupid.
And try as I might, I have yet to find an incident of a criminal ordering a new fob for a particular VIN to steal a car. All of the fob thefts I have read about are from people who have lost control of their fob and had it cloned.
Security failures like this are almost never the result of a top-level breach (somebody hacking Ford and getting all the fob codes or hacking Liberty and getting all the master codes), but a low-level breach (writing your password down so you don’t forget it or leaving your key for your other car at home while you go on vacation).
At the end of the day, I have to remind people: You’re not that special, Ocean’s 11 is not going to carry out a multi-level caper involving corporate espionage to make off with your guns.
From a physcial security standpoint, this is not a serious concern for me.
If it is a concern for you, my two recommended options are: buy a used safe with cash so the company record doesn’t have your information, buy a new safe and pay a locksmith to replace the lock so the lock is different than the one in the company record. Then make sure you don’t die without some executor knowing the combination or your inheritors will have to drill your safe.
Second, policy.
This is where Liberty fucked up.
Liberty should have had a policy that says if law enforcement wants the code to a safe, then they have to get a judge to sign a warrant that compels Liberty to provide the code.
Providing the code to law enforcement because they have a warrant to search the homeowner’s home is bad policy.
Unfortunately, Liberty will pay for that.
What I hope to see come out of this is a broad reaction from all US gun safe manufacturers to clarify their policy on the conditions in which they would provide combinations to law enforcement, and that should require a warrant for the combination from the manufacturer.
I hope Liberty recovers, they make good products. It’s important for law-abiding citizens to own gun safes and to lock up their guns to prevent unauthorized access, and having a gun safe company go under Bud Lite style won’t help any of us in the long run.
If there is a silver lining, I look forward to possibly picking up a few used Liberties at pennies on the dollar from the same class of people that poured out all of their Bud Light.
The whole thing was blown out of proportion by online hysteria from “big gubmint gonna gulag us” people…. Most corporations WILL cooperate with law enforcement when asked. Plan accordingly… THINK!!
May your chains rest lightly upon you.
Respectfully disagree. Software is bad, evil, and vulnerable. Hardware is only slightly less bad, evil, and vulnerable. I reiterate, I hope defcon hackers have a field day. And don’t get me wrong, mechanical locks are not without their vulnerabilities or exploits; lock manipulation is not hard per say; it is a statistical process.
.
The whole that is paranoia spiel is balogna at this point. To say, why is there a backdoor engineered into a product that does not need one and has functioned fine for millennia without one is not paranoid. To dislike that business practice and to minize your exposure to such practices is not paranoid. This is the same mindset of people who are like, well why do you care uncle Sammy hoovers up your encrypted data to do with what he pleases at some point in the future, you don’t have anything to his right? Why you so paranoid?
.
Also lol at the idea any company is to be fully trusted with your data. Fort Knox, liberty, etc are all susceptible to the exact same forms of hacking and compromise every other company is. The fucking government can’t control classified information, but master override codes are definitely safe at a maufacturer /sarc. All three credit agencies have been hacked, but your safe code is definitely safe in someone else’s computer! Really I don’t even blame them 100%, the reality is at this time, once it is out of your head you no longer have control over the data. Period. Digital or analog. And the threat environment/landscape constant changes and jimbo who loves to click everything sent to him is still jumbo who loves to clock everything sent to him.
.
What is the threat profile like? Idk. I do doubt it is severe or high; liberty is more likely to be the subject of the same ransoms as any other company with little regard for the data, but who knows. if it is discovered that literally every piece of electronic hardware and software a manufacturer has put out is susceptible to a vulnerability that grants easy access to a safe, is that bad? I’d say so.
Everything is hackable in the long run. But a Liberty safe is only 0.1046 inches thick. The weak link isn’t someone hacking Liberty, getting your combination, knowing where you live, and opening your safe. It’s an angle grinder. You’re not getting Fort Knox Bullion Reserve security from a $2000 safe from Cabela’s.
And?
.
The relative physical security provided by a liberty safe is not the actual point of contention here, it is the back door and why back doors are dumb and bad. Don’t move the goal posts. We can acknowledge the threat of someone using a stolen master code to backdoor into a safe is low and still say WHY THE FUCK DOES A BACK DOOR EXIST IN THE FIRST PLACE.
The backdoor exists for warranty repair. Because enough people have locked themselves out of their safes, either personal or business, that the manufacturers felt that customer service required the ability to provide the legal owner the ability to open the safe without having a safe cracker break it open. That’s not a crazy position to take for a manufacturer. That’s not a conspiracy against the owners. There is absolutely no evidence that backdoor has ever been used by thieves. That’s not goalposts moving, that an accurate assessment of cost vs risk vs reward for a manufacturer of consumer products.
From Charlie Kirk:
Liberty Safe was sold to Monomoy Capital Partners in 2021, a liberal East Coast investment firm. I pulled the FEC reports on the company and found approximately $400,000 over the last 10 cycles of max donations to Democrats like:
Raphael Warnock in GA
John Fetterman in PA
Mandela Barnes in WI
Mark Kelly in AZ
Liberty Safe’s current CEO, Justin Hillenbrand, was a founding partner of Monomoy and donated $4,600 to Obama for America. And we’re supposed to be surprised they betrayed their customers to the FBI as quickly as humanly possible? Boycott Liberty Safe.
All of those points are absolutely irrelevant to the topic of security assessments.
Recent events indicate they are absolutely relevent
@JKB (can’t reply for some reason)
.
The goal post moving is changing it from back door good or bad to the relative physical security of the safe. The 14 gauge steel comment reframes the argument to, it doesn’t matter anyways, it is just the shitty steel box from it doesn’t matter if it is a literal turd, if its software has an exploitable back door, that is bad.
.
Those are legitimate reasons for a back door to exist, that also doesn’t mean the backdoor will always be used for legitimate reasons. We can certainly debate the risk reward of that. IMO since liberty doesn’t even make real safes, the risk reward is probably a fine trade off for them; I’m sure the came to basically the same conclusion. I don’t think that is an acceptable reason because jimbo is a drunk idiot and can’t remember his safe combo so he can call up the company for any old person to provide that info. I have no idea how big liberty is, or where their customer service is located that does this, but data leakage and insider threat is an issue and it happens all the time. By way of example, surely it is just a coincidence that we get all the toner scam calls at work right when our machines are running low on toner. Right? There’s no possible way someone from the inside of the contracted supplies company is providing that information to someone on the outside? Right?
.
Also, this is not known publicly to have been exploited. That is not the same as never been exploited. Many things are exploited for sometimes years before it becomes known publicly. Often they are exploited by those tasked with protecting us; those same people even go so far as to pressure companies to leave exploits unpatched for their use.
.
A known security vulnerability, like a back door, is not ok to leave unmitigated or unfixed because it still represents a risk of exploit. We can dither and say the risk is mitigated by liberty securely storing that information and protecting it; it depends on your risk tolerance. I think that is insufficient mitigation for the level of risk that it represents. You are not wrong if your opinion and risk tolerance accepts it. It is indisputable that exploitable vulnerabilities represent risk, and the greater the vulnerability the greater the risk and less justification for not fixing or sufficiently mitigating the vulnerability. And before you say I am going off the rails here, an information security approach applies because this is software, and this is data stored by someone else in their software and systems. It is all computers.
.
To me it really is a case of wow the front door is barred and gated, let me just walk over to the window next to it, throw this softball sized rock through it that is sitting beneath it, and climb through unabated.