Comments on: The ethics of lock picking and telling

Hackers are turning their attention from software to locks and publicizing the vulnerabilities, angering the industry. But security experts say publicity is necessary.

[Pishkado]

Back about 65 years ago, the late Nobel Prize-winning physicist Richard Feynmann was employed at Los Alamos on the World War II atom bomb project. One of his hobbies was picking the combination locks used to secure classified material. Most of his methods were based on social engineering: knowing that most people didn't reset their locks from the factory default, that most people left the dial on the last number in the combination, and so on. In one case he informed the Army colonel in charge of an area that his locks were not secure, explaining how he had opened several of them. The colonel's response? Instead of telling his people how to improve their lock use practices, he required Feynmann to be escorted whenever he was in the area to make sure he didn't pick any locks.

Some things never change.

[Bill_I]

Richard Feynmann is a hero to me, even though I am not smart enough to understand most of his work. An ordinary lock can have the brass pins drilled out in short order with a cordless drill motor and the cylinder rotated with a screwdriver. I did this once at my job because all the keys were misplaced, including my backup spare. The next day we bought and installed new locks, which was not cheap, and I made triple backup keys.

[JeffW42]

So companies that sell Bic pens or toilet paper or screwdrivers are engaged in illicit activities by selling lock picking tools? What great laws we have.

[Renegade Knight]

There is a lot of rationalization on the part of the lock industry. "Our responsibility is to make changes when we see a change in the state of the art" for example. Actually their responsibltiy is to make good locks. If they find out that their lock can be picked by a bic pen in the hands of an amateur, that's a strong sign they are not making a good lock.

Another thing about locks. Anybody can buy one and use it for any purpose. Paperweight. Target. Bling, or to practice lock picking. Like most things, it's primary purpose isn't always the only legitimate use.

[Dr_Zinj]

I pick or circumvent locks on occasion either for RL business reasons or just for entertainment purposes.

Safes are tough critters. Locks on appliances or equipment are sometimes tough too. But door locks are often easier to just go around that to try picking.

A lot depends on whether a criminal is concerned about leaving obvious evidence of his or her intrusion. If blatant evidence of a break in isn't a problem, it's easy to break a window, or even go through the wall instead of the locked door.

[n3td3v]

"IBM report shows that as soon as a vulnerability is disclosed, an exploit is made for it. Some think it?s time to rethink that policy."

http://www.internetnews.com/security/article.php/3762091/Are+Bug+Disclosures+Helping+or+Hurting.htm

[menty666]

Frankly it makes more sense for non-locksmiths to try to pick the locks for the same reason you don't allow engineers to test their own code; they know how it works and how to make it work right.

In regards to the complaining from the manufacturers that people shouldn't publicize the methods.....people I worked with used to get upset at our QA testers when they found bugs in our code. I never did, I told my co-workers that if they didn't leave the mistake, the tester wouldn't have found them. Same theory goes for locks. If you don't want a vulnerability found, don't leave one there. The long and short of it is that any lock that has a legitimate, intended way to open it also is vulnerable to unintended methods.

And finally.....it's illegal to sell lock picking equipment to non-licensed professionals, but it's not illegal to buy a hacksaw blade and a bench grinder to make my own.

[Lerianis]

Actually, it isn't illegal to sell lock-picking equipment to non-licensed professionals in most states. The federal government tried at one time to make it illegal, but the Supreme Court overturned that law, saying that it was an unjust limitation on the American citizen who might want to learn how to pick locks so, if they accidentally lose their housekey, they can get into their own home using their lockpicking set.

[rcardona2k]

Same principle applies to physical security: as soon as a vulnerability in a lock is discovered you'll likely see a youtube video exploiting it shortly.

[fokkwp]

"We believe that lock picking, obviously, is an illicit activity, even if it's a sport. " -----

Absolute nonsense. Show me such a law. There is a law against entering someone?s property without permission, but for sure if you own or have permission to access the lock you can try to pick it. Similarly, hardware stores will tell you there is a ?law? against duplicating a key because someone has stamped ?do not duplicate? on it. There is no such law. ----

?Unlike with software, where patches and fixes can be downloaded quickly, locks have to be physically replaced when they are found to be vulnerable to picking.? ----

On the other hand, once a software vulnerability has leaked out, a hack can be applied to millions of computers simultaneously by even a small group of hackers via the web, within a day or so. It takes much longer to train the whole criminal community on a new lock exploit, and longer to try it out in practice. There is time to change locks, or at least take advantage of the vulnerability information to reduce exposure.

[gridwerk]

"The industry doesn't need outsiders pointing out flaws with products because there is an established system in place for creating new standards for manufacturers to follow"

No, actually, its because of those standards that the industry needs outsiders. Mitnick also helped to change a fairly standardized system known as the United States Judicial System.

[el_bowman]

We performed a security audit on an office doing business with State and Federal governments. They were so proud of their high tech card reader locks on every door. Their jaws dropped when I pulled up a chair and popped out the acoustic ceiling tile and hopped over to the other side of the 'locked' door.

Dr Zinj is right. Why waste time trying to defeat a security device if you can quickly go around it?

[protagonistic]

"Their jaws dropped when I pulled up a chair and popped out the acoustic ceiling tile and hopped over to the other side of the 'locked' door."

That would not have worked at one facility i worked at. Popping any floor or ceiling tile would trigger an alarm which would in turn cause an immediate lockdown of the entire base. This was normally followed by armed SPs.

Since accidents do happen we managed to **** a few people off when this occurred at quitting time. But as a licensed locksmith I can tell you the only reason you have locks on your house is to keep your honest neighbors honest. They for darn sure won't keep a professional out.

[Lerianis]

protagonistic is right: locks will not keep out a professional locksmith, or a professional thief.

[Get_Bent]

Here's an idea: design better locks, and they'll be harder to pick.

[Lerianis]

Actually, no, they wouldn't. There is an agreement in place (that my local locksmith told me) that manufacturers will NOT improve their locks. Why? Because it would mean that locksmiths and others would have to be retrained to pick the new, better locks.
Really, all you need to get around a lock is one of those heavy-duty steel cutters. My father lost his key once, had to call campus security to remove the lock on his locker...... a petite 100 pound lady cut through that lock with a pair of HUGE boltcutters like a hot knife through butter, to his astonishment!

[datasecuritypodcast]

There are a lot of interesting twists and turns to the reported vulnerability in certain Medeco locks. You may listen to a pre-DefCon interview with Marc Tobias about the Medeco issues he discovered on the Data Security Podcast here: http://datasecurityblog.wordpress.com/2008/07/28/data-security-podcast-episode-11-july-28-2008/

The interview is about :15 min into the program.

[iceman678]

Unscrupulous corporations will always do whatever they can to increase their bottom line. They have repeatedly tried to strong arm the public by threatening legal action unless they stop hurting their business. They want to force people who find these flaws to remain silent locks so that they do not have to replace them.

I just hope the day does not come when a judge in any court in North America gives in to their utterly ridiculous and completely absurd arguments. Hats off to Tobias for standing up to these greedy, money grubbing corporations who are attempting to stifle progress, scientific research and even the human thirst for advancement just to make more money.

[Fil0403]

"Security through obscurity" has been Apple's motto for years and I don't see many people worried about that, why should that be?

[mattmia2]

I think that this is the only case where the manufacturer would be overtly attacking the person who reported the problem for reporting it instead of trying to defend themselves against the liability. They have basically admit that they are covering up the problem. This would seem to be an admission of liability for any losses sustained form the exploitation of the weaknesses in their locks.

[senojetan]

there is this floor door lock called the door chucky it is a<a href="http://www.doorchucky.com/">
security door lock</a> that fits on your floor. This lock can with stand a lot of force. It is mostly designed to keep you safe when you home. this <a href="http://www.doorchucky.com/">
front door lock</a> is pretty nice

[senojetan]

there is this floor door lock called the door chucky it is a security door lock that fits on your floor. This lock can with stand a lot of force. It is mostly designed to keep you safe when you home. this front door lock is pretty nice. you should check it out at

http://www.doorchucky.com