
Things that happen at a lock-picking convention (2013) - pmoriarty
http://www.slate.com/articles/life/crime/features/2013/the_lock_pickers/locksport_the_strange_things_that_happen_at_a_lock_picking_convention.html
======
wonderous
Favorite lock currently is the Bowley.

Demo animation:
[https://m.youtube.com/watch?v=jgekjfwphGc](https://m.youtube.com/watch?v=jgekjfwphGc)

Here's great analysis of the lock with an attempt to pick it and an breakdown
of the design after taking it apart:
[https://m.youtube.com/watch?v=b96pmWSArr4](https://m.youtube.com/watch?v=b96pmWSArr4)

\----

EDIT: In case you want buy a Bowley Lock, they're now available for sale to
the public here:

[http://www.bowleylockcompany.com/store/c1/Featured_Products....](http://www.bowleylockcompany.com/store/c1/Featured_Products.html)

~~~
falcolas
I keep seeing mention of how great this lock is, but all mentions go back to
this same couple of videos. Makes me really suspicious of astroturfing,
frankly.

IIRC, also wondered how this particular design prevents against bumping; none
of its protections really seem aimed at that usecase. Not to mention the
relative frailty of the key, and the general problem of an easily visible (and
thus reproducible) secret.

~~~
wonderous
Think if you believe you're able to pick it, then buy one, pick it, post the
video to YouTube with ADs enabled - and you'll easily make back the cost of
buying the lock.

As for bumping and the key strength, given those topics are covered in the
second video, you're comment to me at best feels naive.

Lastly, no system is prefect. Even if the metal the lock is made of was
unbreakable and as a result you could 't destroy the lock to bypass it, you
could still build a robot that inserts a metal key to turn the lock and
dynamically assembles and inserts every possible bidding for each pin.

Feel free to post a lock you like, locks to me are more about simplicity vs
security - not some overly complex system will never be used in mass
production.

~~~
gech
You didn't respond to the first point about astroturfing.

~~~
caminante
The first sentence argues that buying the lock and posting a video of cracking
the lock would be financially positive.

It's also not astroturfing if the company itself is advertising the product.
The video's linked from Bowley's youtube channel.

~~~
Teever
So is wonderous working for this company?

~~~
caminante
What's your point/argument?

~~~
mentat
In Hacker News it's considered to be good form to disclose financial
associations. Do you also work for the company?

~~~
caminante
_> Do you also work for the company?_

I submit that your statement relies on an unfounded premise (at least from my
scan of this thread) that wonderous works for the company.

Also, by your standard, if wonderous doesn't work for said company, he's still
complying with your "standard." Yet, you're still making an implicit
accusation.

The purpose of my initial comment was to address the potshot accusation of
astroturfing after, IMHO, wonderous had responded in good faith.

------
ransom1538
I came to work early once and forgot my keys. I decided to just sit on the
ground and go through commits [pathetic]. A newer dev, recently hired came by
next. I explained the situation. He then grabbed a weird small set of tools
out of his bag. After about 3 minutes he opened the door. I was totally
horrified. I am not sure if i was more upset he had the tools on him, the
tools WERE LEGAL, or how easy it was to steal all our cool hipster monitors.
He went on to explain how he couldn't get into various types of locks and
which locks he was training on -- like some type of club or sport.

~~~
trome
Why should a toolkit be illegal, and why should you not carry your tools with
you? Picking a lock is usually the slowest way in, if you are trying to
increase security, paying a premium for a better lock while retaining windows
and unreinforced walls is a poor decision.

~~~
gambiting
In the UK posession of a lockpicking kit in public is very much illegal,
unless you have a professional reason to carry one. Same with a knife - unless
you are literally bringing one back from the store to your home, you can be
arrested for having one.

~~~
jnicholasp
> same with a knife

Any knife? You can't carry a pocket knife in the UK? That's ridiculous. Knives
were nearly the first tool proto-man ever made, and they're still the most
useful general purpose tool you can have.

~~~
afandian
No.

> Section 139 of the Criminal Justice Act 1988 prohibits having with you, in a
> public place of any article which has a blade or is sharply pointed,
> (including a folding pocket knife if the cutting edge of its blade exceeds
> 7.62cm/3 inches) (Archbold 24-125).

[http://www.cps.gov.uk/legal/l_to_o/offensive_weapons_knives_...](http://www.cps.gov.uk/legal/l_to_o/offensive_weapons_knives_bladed_and_pointed_articles/)

~~~
cabaalis
A 3-inch blade length restriction is reasonable. For instance, it was illegal
until 2014 in my state to carry a blade longer than 4 inches. (There is now no
limit.) During the majority of my life that it was illegal to have a longer
blade, most people I knew still carried pocket knives that were legal to
carry.

~~~
pmoriarty
Why is a restriction of 3 inches reasonable again? Why not 4 inches or 2.5
inches or some other length?

~~~
michaelt
3 inches is no more reasonable than 70 mph as a speed limit. But if you accept
that some limit should exist, it has to have _some_ value, even if all the
choices are equally arbitrary

~~~
pmoriarty
If any speed limit and any knife length is equally arbitrary, then a nation-
wide speed limit of 1 mph and a legal knife length of 100 inches should be
perfectly acceptable to everyone. Yet it's quite likely many people would
object to both.

~~~
gjm11
I don't see that cabaalis said that _any_ limit is equally arbitrary, and I
doubt s/he thinks that.

Some limits are more reasonable than others. Saying "you can have knives but
the blade must be no more than 5mm long" would be stupid; so would saying "you
can drive a car but no faster than 1mph". (Because in either case you might as
well, and should in preference, just say "you may not"). Likewise for a limit
of 10m or 500mph (because then you might as well, and should in preference,
just not bother with the limits).

If you're going to have a limit on the length of a knife blade, presumably for
the sake of a small reduction in knife crime, you want a limit long enough
that some (non-criminally) useful knives are shorter and short enough that the
restriction, if it reduces the number of long knives in circulation, would
actually do something to impede crime.

It seems plausible that a 3-inch limit would do that. Maybe a 4-inch limit
too. The exact choice of limit isn't completely arbitrary: some choices are
better than others. But really, the only answer to "why 3 inches rather than
4?" is "that's where we happened to make the tradeoff".

I'm guessing (not least because the above all seems kinda obvious) that your
actual objection is to having any limit at all. (Perhaps on the grounds of
some more general libertarian principle?) That's a reasonable objection, but I
don't think "why 3 inches rather than 4?" is a good way to make it.

~~~
pmoriarty
I wasn't trying to make an objection. I was just trying to understand what the
argument was for making the limit 3".

As for the "criminally useful" argument, I struggle to imagine what crimes
could be committed with a 4" knife that couldn't be committed with a 3" knife.

You say it's plausible to you that a 3" or 4" limit would reduce knife crime.
What makes you think that?

~~~
gjm11
It seems plausible to me -- I don't claim any more than that, and I am no
expert on this stuff -- that:

1\. If possession (in public places) of knives above (say) 3" is illegal,
fewer people will go about carrying knives above (say) 3". It probably won't
make any difference to someone _planning_ to get into a knife fight, of
course.

2\. If fewer people are casually carrying big knives, then there will be fewer
opportunities for conflicts to escalate to fights involving big knives. For
instance, a bar fight is less likely to end up fatal if fewer people in it are
carrying serious knives. A burglary is less likely to end up fatal if the
burglar isn't. Some muggers may choose to make do with musclepower rather than
knives (so they're less likely to get into serious trouble if a policeman
thinks they look suspicious). Etc.

3\. Fights involving big knives are less dangerous than fights involving
smaller knives, e.g. because a bigger knife is more likely to end up doing
serious damage to internal organs. (If an expert fighter is specifically
trying to do you serious harm, I'm sure they can do it with a small knife. Or
a toothpick. But in cases where the goal is "establish dominance" or "get away
safely from the house I just burgled" or "make my victim sorry he didn't just
hand over his wallet" and there isn't serious intent to kill, I expect smaller
knives to do less harm on average.)

Astute readers will notice that I'm now talking about knife _fights_ rather
than knife _crime_. My guess is that premeditated crime-with-knives probably
wouldn't be much affected by this sort of ban. So, though I'm sure all the
things I'm hoping would be reduced would technically be knife crimes (i.e.,
crimes committed using a knife), I think my use of that term was unhelpful.
Sorry about that.

~~~
gambiting
Well, same arguments as with guns, really. Smartly, UK police has figured out
that a policeman can't shoot anyone by mistake if they don't have a gun - so
UK policemen don't carry them at all. If you reduce a number of people
carrying long knives, you reduce the number of people stabbed with long
knives. Obviously, just like with guns - people who want to have a knife and
use it to commit crime, are still going to.

------
ceautery
I never learned "real" lockpicking, but I'm puzzled at how trivial it is to
bypass some lock systems. For instance, the Kensington laptop lock, which was
purchased in bulk for all the laptops of a large utility I worked for some
years back.

I once misplaced my key, and managed to pick the lock with a small strip of
plastic used to bind boxes of printer paper. The longest part of the endeavor
was finding a pair of scissors to cut the plastic to the right size.

The lock/cable in question retails for about $40. Assuming we paid half that,
we still dumped thousands of dollars on presenting only an image of security.

~~~
AtheistOfFail
Those things aren't designed for the dedicated guy who can pick it, they're
designed for someone who breaks in and just grabs laptops as they go.

~~~
arkades
I think his point is: it takes little skill (because I figured out how to do
it on the fly) and little equipment (ziptie). Implicitly: anyone with any
interest in grabbing laptops could spend 5 minutes on youtube and 5 minutes
prepping a ziptie, and maybe 20 minutes practicing, and be as capable of
walking around grabbing laptops as he was before the security locks were
purchased.

------
praptak
I've spoken to a private investigator in 2015 who told me that bump keys made
lockpicking disappointingly easy. Their downside for a criminal is that the
application is rather loud, compared to the classic pin-by-pin lockpicking.

That was the state for 2015, things might have changed.

~~~
lucideer
Bump keys make lockpicking disappointingly easy _for locks that are easy to
pick_. They take something that's a nice challenge for a beginner and make it
easy for anyone.

However, a good lock that's difficult to pick for anyone, with or without bump
keys or comprehensive experience, is pretty easy to come by. That said, the
hard thing is often knowing the difference: expensive and heavy are not
necessarily good hints.

~~~
pmoriarty
This is not actually true.

From around the 35 minute mark in the _" What The Bump"_ talk, security
researcher, TOOOL founder and President Barry Wels said:

 _" It [bumping] also works on these high security locks: multiple rows with
dimples, keys that look really dangerous thinking if I have these on my door
I'm really safe. The thing is, they open just as easy as the other locks, as
far as we've seen. The only problem is getting bump keys. We really had some
help from some of the state of the art Dutch locksmiths, with very advanced
tools to make these keys. But once you have these keys, they're just as easy
to open as the other locks. One of the statements which is my favorite is: I
think you can teach this to a monkey to open locks like this. I'm still
looking for somebody with a monkey to actually shoot some video. If you know
somebody with a monkey that we could train to do this, that would be fun._

 _" It also works with locks with moving parts in it. The ball offers no
protection because you take the original key, it has all the information
already in it. The ball is always in the same position or there are two
different spacings of the ball. It all works the same, because there are a lot
of locks with protective measurements that are standard for all the locks. So
once you have a key that is cut to the deepest, these mechanisms are still in
place. The ball is still there, for instance, and it will still open._

 _" We opened some some pin-in-pin locks. The brand name is Mul-T-Lock. They
were not happy that we opened them, and they were not happy that they were
being mentioned in a white paper, and they more or less demanded a public test
to show that it wouldn't work. So when the guy was at our place I explained to
him how the technique actually worked, because he had no clue. So then he
demanded a closed test where the results were kept secret. I said I'm willing
to do that. He also put a time limit of four days or something ridiculous like
that. So I said I'm willing to do that but it will be on a commercial basis
because I can not use the information for my website, you want to keep it
private. When I told him my price just to keep it friendly -- I wasn't asking
a lot of money -- he ran away and never seen again. I do hear he's still very
angry. But if Mul-T-Lock wants a serious test, they can always contact me
directly, but not through this Dutch sub-dealer of them._

 _" We opened some impossible locks. By impossible, I mean I opened some
locks, and you can see it on the other video, it's available online if you go
to the toool.nl website. I opened some locks that I would never open without
damaging it ever, because the mechanism is so well designed. There's only one
flaw, which is that the part that makes it secure stays the same in all the
keys, and only the variation pins change. I'm talking now about the Assa Twin
lock. It's a lock with two rows of pins, and the secure row of pins is always
the same in a certain region, which makes it very vulnerable for this attack.
Talking about the Assa Twin, another reason that I thought I would never be
able to open a lock like that is that it was so well engineered, the
tolerances are so small, if the pin is half of a millimeter or a tenth of a
millimeter too high or two low, the whole lock does not work any more._

 _" This is also something that we found, that the tighter the lock is made,
the more engineering is put in to the lock, the better this technique works.
If the key that slides in to the lock wiggles too much because the key has got
a lot of space in between, the energy transferred is a little bit lost. If the
pins in the chamber have a lot of tolerance and are not straight in the house,
but a little angled or a little bit left-right, the energy is not transferred
ideally. So the more expensive and the more engineering is put in to a lock,
we found most of our favorite locks opened within a few blows because they are
so well designed that they are perfect impact energy transmitters that allow
smooth transmission of this energy."_[1]

That said, since the technique of bumping made a big splash in the mainstream
media, lock manufacturers have experimented with and released locks with
"anti-bump" features. Those locks might not be as susceptible as the locks
that were the subject of Wels' talk. On the other hand, there are and will
continue to be plenty of locks in use that don't have any anti-bump features
at all.

[1] -
[https://www.youtube.com/watch?v=lRv_JN5oedE](https://www.youtube.com/watch?v=lRv_JN5oedE)

~~~
lucideer
His opener about the monkeys refers to "these high security locks", but the
description that follows seems to describe locks that are big and heavy and
look intimidating, but don't actually deliver any challenging security. This
is, in my experience, quite common.

He does then go on to describe bumping more challenging locks, but I'm not
convinced these would be as easy. Especially for a monkey...

~~~
pmoriarty
I didn't hear him mention the size or weight of the locks they tested
anywhere. Please point out where he says that.

If you are skeptical of their results, I urge you to try the technique
yourself on some locks you consider to be worthy of the challenge and publish
your results.

~~~
lucideer
He doesn't mention size or weight, but I was extrapolating from this line:

> _that look really dangerous thinking if I have these on my door I 'm really
> safe. The thing is, they open just as easy as the other locks_

which makes it sound like he's describing locks that _seem_ secure, rather
than locks that _are_ secure (e.g. because of their look, advertising, weight,
size, colour, whatever).

I could be misreading him. I'm not contradicting the text, just interpreting
it. If he genuinely means that very secure locks can be opened by a
monkey/beginner with a bump key then I'd take his word for it. I'm just not
sure that that is what he's saying.

~~~
pmoriarty
My takeaway from his talk was a wide range of locks were vulnerable to
bumping, including locks that were highly resistant to other attacks,
including _" some locks that I would never open without damaging it ever"_ and
_" most of our favorite locks"_ (ie. otherwise truly excellent locks).

So to claim that locks that are difficult to pick are necessarily difficult to
bump runs counter to the findings expressed in this talk. In fact, the
findings are quite the opposite, as many locks that are difficult to pick
because of the tight tolerances and high quality engineering are actually
easier to bump than locks which are easy to pick.

~~~
lucideer
I haven't listened to the talk, just read your transcription, so I'll take
some time to give it a listen. It does sound very interesting in general.

------
MrQuincle
What makes a lock strong?

I think if it's the amount of metal that is inaccessible to the outside.
Something like the Haven lock that is bolted to the floor, makes a lot of
sense.

That of course requires a way of opening that is digital.

I'll think of the pros of digital locks:

\+ The proliferation of protocols makes master keys almost impossible.

\+ Faster update cycles when encryption gets cracked.

\+ Keys that are handed out to household members or visitors with potential
losses can be easily retracted.

\+ The above separation of concerns. The way to keep someone out should be
separate from the way to ask for permission to enter.

\+ The easier integration with other security layers such as face recognition,
voice recognition, etc.

~~~
jwilk
I wouldn't put too much faith in competence of digital lock manufacturers.

[https://media.ccc.de/v/33c3-8019-lockpicking_in_the_iot](https://media.ccc.de/v/33c3-8019-lockpicking_in_the_iot)

~~~
MrQuincle
Sure, but we've heard all the arguments against digital locks many times. I've
never encountered a list with arguments in favor of them.

Sorry, if the above was off-topic. Downvotes humbly accepted.

------
sealub
I remember when I learned how to open up high school locker room
lockers...quite the rush when the first one opened. good times.

~~~
Broken_Hippo
I, on the other hand, got kicked out of algebra class because someone stole my
book from my locker. The school tried to tell me that it was obviously my
fault because the locker wouldn't have been able to be opened had I only
closed it correctly.

~~~
jsolson
My natural reaction to that would've been to leave the school and every locker
in it unlocked over the course of a weekend.

Not claiming any responsibility for it, naturally, simply observing that it
had happened.

~~~
Broken_Hippo
My father was the business manager for the school system - stuff like that was
a bit difficult for me to get away with without weird consequences.

------
eps
So what were these strange things promised in the title?

Looked like a perfectly normal lock-picking convention to me.

~~~
tajen
Yes. It's just lock-picking art. I was expecting stories like the organizers
finding the party "reversed" (=while organizers are in the main room, most
attendants found their way into the backstage) or the parking emptied of all
its cars after the first hour of the conference. Defcon seems funnier ;)
[https://www.reddit.com/r/Defcon/comments/4x47ss/share_your_f...](https://www.reddit.com/r/Defcon/comments/4x47ss/share_your_funny_defcon_stories/)

------
Veratyr
For anyone interested in this, I recommend the Bosnian Bill YouTube channel:
[https://www.youtube.com/user/bosnianbill](https://www.youtube.com/user/bosnianbill)

He picks a ton of locks and has a few recommendation videos if you're looking
to buy.

------
chayesfss
If you see these guys at security conferences, buy cash, don't have it linked
to your personal cc, I'm probably overly sensitive but whatever...

~~~
pmoriarty
What are you afraid of?

~~~
yjftsjthsd-h
Standard answer to "if you have nothing to hide..."; someone, somewhere, can
assume the worst from that information, and sometimes that person is legally
empowered to make your life miserable based on their conclusion. So the
logical choice is often to take measures to protect your privacy even when it
shouldn't be necessary.

------
amelius
So do any automated lock picking devices exist?

~~~
wonderous
All automation requires some action.

Bump keys are a simple "automated" way to pick a lock:
[https://en.m.wikipedia.org/wiki/Lock_bumping](https://en.m.wikipedia.org/wiki/Lock_bumping)

If you feel like tapping a bump key with a hammer is to much effort, you could
attach the bump key to a vibrating toothbrush; aka a "SonicBump":
[https://m.youtube.com/watch?v=rDlZbQ20aLI](https://m.youtube.com/watch?v=rDlZbQ20aLI)

------
bike4beer
Read Feynman's book "Surely your joking Dr. Feynman", he's got an entire
chapter on safe cracking.

Yep, I remember in high school, in fact it was in Pasadena not far from Cal
Tech, I don't remember who, but somehow I learned from somebody how to open
the high-school lockers by 'feel', in a fairly short-time I could open any
locker quicker than my own knowing the combo.

Locks are fairly amazing when you think about it the locksmiths and the
criminals all know how to crack any lock, yet the people in the middle think
they're secure.

Years later as a landlord I got to know my locksmith fairly well, one day by
offhand he told me that the master-key ( So I could have one key to rule them
all ) I was using could open 1/2 the units in the city.

~~~
vincentbarr
(1) I love your book recommendation; however, it dedicates maybe one or two
pages to safe-cracking, so I would not recommend it for this purpose.

Instead, I would read the material that Deviant Ollam has published
([http://deviating.net/lockpicking/resources.html](http://deviating.net/lockpicking/resources.html))
or look for an upcoming TOOOL meetup ([http://toool.us/](http://toool.us/)).

(2) I don't intend to be pedantic – and perhaps I'm mistaking hyperbole for
fact – but how could you are opening a combination lock with an secret
unbeknownst to you more quickly than your a combination lock with a secret
known to you? Unless, you're shimming the new lock and avoiding dialing the
correct combination altogether, in which case you would solve them all locks
in the same span of time, this is unlikely. However, you said you're opening
the lock by 'feel,' so I assume that's not the case.

~~~
jsolson
With respect to #2 -- "more quickly" could be a bit much, but there are quite
a few combination locks (of the sort commonly found on cheap-ass high-school
lockers) wherein getting within 2-3 digits of each digit in the combination is
sufficient to open them.

Given that, I could easily see how "feeling" that you'd hit the right digit
(give or take) might be faster than focussing on visually _actually_ hitting
the right digits.

~~~
notatoad
when i was in high school, the school issued old master combination padlocks
to everybody and they had a very obvious audible and tactile "thunk" when the
dial hit the right number, if you pulled down on them the right amount while
spinning the dial.

and yes, it actually was quicker to open them by feel than by looking at the
numbers on the dial.

------
jlgaddis
(2013)

~~~
aaron695
I did wonder why Slate had a interesting article like this. They really lost
the plot in the last few years.

------
bbcbasic
Free hotel accommodation, for one.

------
mirimir
_/|_/|_/|_/|_/|_

;)

