When I was growing up, one of the benefits to having a CIA dad was that I got to play with the cool stuff he brought home. As a result, I’ve been trained to beat lie detectors, how to mentally isolate physical stimuli with training on a biofeedback machine, how to make instant keys with a magical metal that melts within seconds in a spoon held over a lighter flame, and how to break into the doors and windows in the house in which I grew up. There was also a very cool lock picking kit that he had, and once when I locked myself out of my car in a dark parking lot, my Dad showed up with the kit and had my car open in seconds. Growing up, I thought that was a skill that most dads had and that every kid should be taught. I was taught these useful skills that ended up helping me in many situations.
So why are the best lock picking techniques and tools kept a secret or are illegal to possess in D.C.? Is this another example of “security through obscurity?” I’ve spent some time in the lock picking villages at HOPE and Defcon conferences. Why aren’t there more of these opportunities available to the general public, e.g. not only to locksmiths or computer security conference attendees?
This was one of the issues I addressed in my presentation at Pumpcon. I had a great time talking about this at Pumpcon. Soon after Defcon and inspired by the events surrounding the three undergrads from MIT, I began researching how to disclose security vulnerabilities. Curious about the divide between the electronic/physical security breaches compared to those involving computer software and hardware, why aren’t both groups interested in truthful discussions regarding flaws? Shouldn’t we as consumers who rely on software designers to protect our home computers and mechanical engineers who designed the locks on our houses know if something isn’t quite as secure as advertised?
It seems as if the hardware and physical/electronic security hacks take a long time to be exposed. For example, Marc Tobias presented at HOPE and Defcon in 2008 about how to pick Medeco key locks. However, according to my government fed sources, Medeco lock vulnerabilities have been known for more than a decade. What’s the reason for it not being publicly discussed? I’ve been told that it takes a highly skilled lock picker—or a locksmith—to successfully pick Medeco locks.
But surely, there were skilled lock pickers out there, so why the silence? I found the following on a site that discusses Tobias’ book:
“A detailed analysis is available together with a video demonstration that clearly shows the method of bypass. This publication has been restricted to locksmiths and the professional security community because of the simplicity of the technique and the potential security ramifications that could result from a public disclosure of the exact method. If you have security responsibility, you may contact the author for access to the restricted document. The password has been posted on ClearStar for security professionals.”
I know that the locksmith community has a lot of power, but do they have the power to silence discussion about how to pick locks? Perhaps this is true especially considering that it’s illegal to own a lock picking kit in some states unless you’re a licensed locksmith. Is this an example of a good way to make things more secure or, on the other hand, an example of legislation protecting jobs in an industry? This is how the Freemasons started; they were protecting the secret ingredients for making cement thus making the formula a coveted secret protected by those sworn into a brotherhood and keeping the brothers with guaranteed jobs.
For a modern example, someone from the crowd at Pumpcon told me that Joe Grand, aka KingPin, gets death threats regarding his lock picking research. I’d like to find more information regarding this statement. (Denied by Kingpin--see comments.) If true, that’s a sobering example of the power of a brotherhood of some kind protecting their own. Is lock picking worthy of protecting through this extreme measure? Does it make us more secure?
Will this attitude eventually spill over into the computer hardware and software security industry? I fear it might.
Note: The picture above is of the back of Kevin Mitnick’s business card. Obviously, it contains lock picking tools. They will work. Funny, but I think his thumb print is still on the other side of card! ; )