One of my main goals is to be an inspiration, though if it was based by my design I wish they’d credit it. Especially since they’re patenting it.
I'm currently an operator of heavy machinery in a factory making tools for the wafer industry, although my main career is in software development. I'm actively working with the tools and software used to get a better understanding of the disconnect between engineering and operations. It's been a great way to consider how to improve tools in ways that aren't just "better" from a software/engineering standpoint.
Also, holy cow. I've watched all of your videos multiple times. You are truly an inspiration. Thank you, and apologies for the fanboying.
Do it in the open, like Stuff Made Here!
Unpickable locks aren’t that unique or rare in the community but they tend to be too complex to make it to market at a reasonable price or with the ability to withstand years of wear and tear and still work.
He says he's going to make a small number of prototypes and send them to the locksport community. It's not a "red flag", it's just very early in his design cycle.
It's for locksport and to play right now. There's no ready means to actually... lock something.. with it.
Edit: ok, it wasn't on LPL, or a similar design at all, it was this lock and it was on Lock Noob, I found this was in my viewing history and it was just recently published, it must be the video I remember:
https://www.youtube.com/watch?v=qNHFyc1oMwU (I see this was also linked down thread)
It looks like a very good design! I'd like to see it in front of Lock Picking Lawyer too
I would assume there's much better locksmiths on the planet than the most famous one on youtube who does it as a side job.
he's clearly a good lockpick, but even in a thread that isn't about him, he's somehow dominating conversation and gathering plaudits. I completely agree that being famous doesn't make you the ultimate arbiter of anything
As someone who doesn't know anything about lockpicking, I feel like part of a weird minority here. What do I know but I'd assumed one would take it to a convention or competition where the best lockpickers in the world meet, not a youtuber. Something like this: https://www.wired.com/2014/12/international-competition-mast...
Now you do? They're are definitely lawyers who frequent this site. And lockpicking is a common interest of computer security experts
When I looked it up out of interest, he isn't mentioned as the world expert in actual lockpicking forums. I found a couple of other names but in any way, it makes more sense to have it tested by a group of experts than just a single person. One person may fail, but if an entire convention full of the best lockpickers can't pick your lock, that's a much better indication the lock really is unpickable.
The only "ads" you get will be the ones the video uploaders encode directly into the video itself. Plus you can watch using whatever playback software works best on your system, instead of the rather feature free JS player youtube provides.
But it seems likely to me that YouTube will eventually start embedding the ads more inextricably into the video streams while downloaded. Especially as more people use tools like youtube-dl/yt-dlp to circumvent ads.
He picked a lock with the same concept by swighton (Stuff Made Here), but exploited a flaw that had nothing to do with the mechanism.
I think one problem here is that the more complicated you make a locking mechanism, the more you suffer by increasing the attack surface with other potential flaws or just the lock being physically weaker (i.e. smashable).
Kinda like how the most advanced cryptography is usually broken because someone made an error in the complexity of implementing it.
To put it bluntly, all these fancy pick-proof designs people are coming up with have zero real world utility and are just toys for locksport enthusiasts to play with.
EDIT: and really, I'd say all the patent discussion is moot. A patent is only useful if there's a market for your product. This product has design shortcomings that render it a non-starter for most applications, i.e. no master keying capacity, which makes it useless in any institutional setting, and a design necessity of using critical precision parts that won't handle outdoor exposure well, and a physical size that makes it incompatible with even the largest north american cylinder format. This is a product without a profitable customer base.
Foolishly, I had used the sturdy Medeco key to cut through some packing tape on a package. The gummy adhesive left over on the key wasn’t that noticeable and would probably not interfered with the operation of ordinary pin tumbler locks, but high security cylinders are usually made to tighter tolerances making picking more difficult. In Medeco cylinders the pins have two degrees of motion (up and down and rotation on their long axis). The sticky key likely gummed up the operation of one or more pins so that I couldn’t unlock the door.
A trip to the hardware store for some spray cleaner/lubricant finally got me inside, but for a while I was afraid that the lock would have to be drilled out (difficult because of specially hardened elements designed to thwart drilling).
The key spools have a narrow section at the correct position. I see no reason why they could not have multiple narrow sections. The inconvenience is that you would need to stock 10 additional spool types to allow for 2 position opening. (or 6 if key spools are symmetric), and more if you ever need three valid positions for a pin. (These numbers get worse if the system is extended to more than the 5 positions of the prototype).
I'm not sure this is actually all that much more complex, or having more critical precision parts than some of ASSA ABLOY's offerings (like Medeco). The pin-stacks being too tall for standard US cylinder sizes though does seem to be a rather substantial problem.
I assume that most people know that this is more of a hobby thing (and a cool one), but I also forget that not everyone has demolished a house with a handheld reciprocating saw.
In any case, this guys design I think is a significant improvement over swighton's. swighton made it so that the key triggered the locking mechanism as you pressed it in, this guy made it so that you had to turn the key to test the locking mechanism, as well as adding a multipin stack.
Interestingly, videos don't seem to count? It must be a written description?
Wondering the same myself. Googeling for this issue turns up this power-point  which seems to imply on page 6 that "electronic publications, on-line databases, websites, or Internet publications" are also considered as "printed documents". But this is just a power-point so who knows which standard gets applied in practice.
I get the impression that the "printed document" language got written before digital documents and the internet were a thing.
I am not a laywer, don't know a thing about the topic, this is not legal advice etc.
Amazing content, your shows are some of the best YT has to offer.
His shop is also any ME major's wet dream (and he totally earned it!).
First we should proudly make the key flat as security by obscurity is not done. We should solve the problem for real and it has to be easy to manufacture.
The real idea: put a tube around the cylinder. after rotating the cylinder by 45 deg it drags the tube along.
[cylinder][ tube ][case
key]||||||||[ ][ ]////
[cylinder][ tube ][case
different keys can be had by changing the number of discs. No machining required.
(Going to implement that one on all my enter password pages.)
It might be a struggle to prove prior art but you might have enough sway to be able to find a pro-bono lawyer, and/or publicly pressure or embarrass him into compromising. Patreon would almost certainly help with costs too.
Seriously, you have a tremendous amount of credibility in maker/engineering communities, among others. Thank you very much for doing what you do.
I was trying to find interviews that you’ve done to learn more about how you came To know so much, but it looks like you’ve never really done any interviews. Any reason why?
For those that did not watch it. The lock was left to be pickable on purpose. The improvements were purposely left out so LPL could pick the lock for entertainment purposes.
You are a HUGE inspiration to me, slowly growing past 55,000 subs.
Thanks for the amazing videos and inspiration!!
I'd guess many many people have had this same idea.
Very very tedious though and I never tried it.
https://youtu.be/ai5Hf-wPXFE and he mentions it's a collaboration at 4:29.
I have one of the Enclave lock prototypes on my desk and can confirm the machining is brilliant and I have no idea how one could approach picking this. No feedback at all for correct vs incorrect.
I plan on taking it to my local SF Toool meetup to see if any of the true experts there can come up with anything.
You really cannot move the pins by vibrating the entire lock. The pins are so light that you would need tens if not hundreds of g of acceleration to overcome the spring force.
Not sure how well the lock is made but it may be possible to detect when pins 1 and 6 are in correct position - because the slider is "stiff against springing apart" at those pins, if you get what I mean. The key might turn a degree or so more if those pins are correct, which may be detectable.. That would be only 36 positions to check.
Likewise, pins 2 and 5 should produce slightly more resistance than pins 3 and 4, but the difference would not be quite as pronounced. But if the difference is detectable, then it could be a possible attack strategy.
The underlying principle that's common between the StuffMadeHere and Enclave designs is 1. Decouple setting the pins from testing them, and 2. Do not allow the keyway access to physically manipulate the set pins while testing them.
Interestingly this same principle is used throughout cryptography, e.g. in constant time comparison algorithms. Basically, any partial success information leak can be used to reduce the search space exponentially. And that's what single-pin picking is all about, so it's cool that this idea has (finally?) migrated to physical security.
Building a lock which does not leak any information about what's happening inside is equivalent to building a mechanical, room temperature quantum computer. For if that information isn't leaking to the environment in some way, there is no mechanism to decohere a superposition state. Hence in principle a mechanical lock which is secure in the information theoretic sense is impossible. It is still theoretically possible to make a computationally secure lock (eg a mechanical implementation of a hash function). But there's currently no real proof that one-way functions are actually one-way. The security of such a lock is subject to a foundational guess in cryptography.
I don’t see how this patent has any legs to stand on.
Well USPTO did move to first-to-file under Obama.
Is there a patent filed before this one?
I don’t like patents, because given the world population, any idea was had by someone that didn’t have the resources to file it. Publishing a timestamped design is, I believe, one of the least expensive ways to create prior art without creating patents.
Once that happens, getting it revoked is no easy task.
Prior art, whether from another patent or from some other source, will still establish that the applicant is not an inventor and not eligible for a patent.
First-to-file (FTT) only differs from first-to-invent (FTI) when there is an "interference". That's when two or more separate parties are simultaneously applying for patents on the same invention.
Under FTI your priority date was the date you conceived the invention if you then worked diligently toward reducing the idea to practice up until you filed your patent application. If you stopped working diligently on reducing the idea to practice and then resumed it, the date you resumed became your new priority date.
What counts as a break in working toward reduction to practice sufficient to reset your priority date? How much documentation do you need to prove you were working continuously on it from your claimed priority date?
Figuring all that out can be expensive and time consuming and often gives results that seem wrong. It's almost random whether the priority date by this method actually matches who seems to morally most deserve the patent.
FTF gives priority to whoever files first. It doesn't produce any worse outcome than FTI and saves a lot of time and money for both the patent office and applicants.
Even as an inventor with some experience in the patent process, I still find it hard to second guess the patent office on what they will accept or reject as prior art. The lawyers are better at it than I am.
More than once I've rushed breathlessly to the lawyers with screaming hot obvious prior art, and they say: "Meh, it's not prior art because of X, Y, and Z, nice try."
There’s a big world of lock design and research out there, and I doubt this company simply decided to rip off a YouTuber.
While you’re likely right, YouTubers are massive in terms of reach and popularity, and there are heaps of cases where companies have done exactly that…
Apparently it's common depending on the country you live.
Some countries have a first-to-file versus a first-to-invent patent system. And so you end up with people (often inventors or retired lawyers) who spend their days filing patents for other people's inventions. The idea being that they only need one or two of the patents in their lifetime to result in a massive payday for it be all worth it.
Bottom line, you don't always patent the whole device, sometimes just the small unique implementation details are valuable enough.
And so rather than litigate, roll the dice and potentially strengthen the patent's standing sometimes it's easier just to negotiate a deal with them.
Yes, it costs money to get a patent invalidated based on prior art. But: an amount that even a single person who stands to actually gain from having a patent overturned should have no problem with. You're asking the USPO to spend time redoing work, literally halting any other patent work they could be doing instead. So it's not a trivial amount, but it's also hardly a prohibitive amount if you actually want a specific patent revoked.
The AIPLA Report of the Economic Survey for 2017 notes that the typical patent infringement suit with less than $1 million at stake costs on average costs more than $600,000 dollars, while the typical patent infringement suit with between $1-10 million at stake costs on average nearly $1.5 million to litigate.
Costs for IPR or Post-Grant Review (approximate mean):
Through filing petition: $120,000.
Through end of motion practice: $300,000.
Through PTAB hearing: $400,000.
Through appeal: $600,000
I'm pretty sure 95% of patent applications and 50% of granted patents are attempts to steal someone's invention out from under them.
I also seem to recall that the LockPickingLawyer was able to break that lock using two separate methods that I didn't see addressed in the article, so I wonder how much this person just copied StuffMadeHere..
I'm no expert but at least I understand the things LPL did a but better now.
This one does seem potentially more compact / compatible to existing form factors. Though it also looks like it'd be vulnerable to just torqueing it, depending on how strong that zigzag bit is. But I guess then you can just break the door.
"All is fair in Love and War"? The Geneva Convention would like to have a word with you on that. And good luck keeping someone who finds out what you did for love (and if you do, then you deserve each other), but all is definitely fair in lock picking.
Magnets, mallets, plastic pens, soda cans, springs, electric toothbrushes, masking tape, string, cardboard, water, salt water, we have seen it 'all' and the world is full of items that haven't even been tried yet because those all work pretty damned well.
Gotta love the description:
The Community Disc pick
Blah blah blah blah Lock picking lawyer blah blah blah Bosnian Bill blah blah blah blah blah blah blah
blah blah Over a year blah blah blah blah blah blah blah Pandemic blah blah blah blah blah blah blah
blah so many emails blah blah blah blah blah blah blah blah blah blah blah Isolation blah blah blah
blah blah blah blah blah blah blah blah blah back on carbs blah blah blah blah blah blah blah blah blah
blah blah blah blah blah blah blah blah blah blah blah blah Ties and no playoffs? Why do you even do this?
blah blah Zip ties blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah
blah blah blah blah Lucky Saskwatch blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah
blah blah blah blah blah blah blah blah blah blah Stop touching your face still applies blah blah blah blah blah blah blah
blah blah blah blah blah Black Finish blah blah blah blah blah blah blah blah blah blah blah blah blah
blah blah blah blah blah blah blah blah blah blah blah This is the way.
I was definitely not expecting that either.
That product description is making light of this reality. No matter what they write in the description field, it's all "blah blah blah" that most readers are going to skip over except the two crucial terms "Lock Picking Lawyer" and "Bosnian Bill." Everything else is wasted space. (And then they just threw in a couple of other random phrases for fun and to see if people were paying attention)
I find that part funny as I never saw any question in a comment answered.
Ultimately, even lengthening the time per attempt wouldn't help save it from attack, because not only is this lock susceptible to robotics, it's easily pickable with audio analysis. Much like the traditional mechanisms that this lock hopes to replace, you only need to analyze one to build a matrix applicable to all of the locks.
It's not unpickable, and the creator doesn't claim it's unpickable, either. So the title really shouldn't include the word.
I have no clue about locks, but there's a difference between brute forcing a password and decrypting it from the hash.
Lockpicking is defined as opening a lock with an instrument other than the appropriate key. It is not defined by how many attempts it takes. Many of the most common lockpicking methods are nothing more than brute force, which are sometimes incredibly effective. They're also sometimes the opposite of effective, meaning they may take many thousands of attempts before stumbling upon success. That doesn't disqualify them from the definition of lockpicking.
> You could also bring all 46k key variations and try them out [...] but that would not make the lock pickable if I was to talk about it.
The entire point of lockpicking is that you don't need to make every key combination, and instead only need a small set of tools or a single device. The personal decision to make every key instead of using another method, doesn't mean the lock isn't pickable, it just means you spent a lot of time making keys. You could also make all of the keys for a basic $1 padlock, but that padlock is still pickable with a paperclip. It didn't become unpickable by creating the keys.
> I have no clue about locks, but there's a difference between brute forcing a password and decrypting it from the hash.
Yes, the difference is that one will definitely take longer than the other, but you don't actually know which until you've successfully completed the task. They're both still password cracking methods with the same end result. One doesn't magically stop being a cracking method just because it takes longer.
Sure, if a particular lock is more prone to brute-forcing due to its design than an average lock (eg. side channel attacks like timing attacks with passwords), one could surely qualify that as a pickable lock (or a "weak" password scheme).
So I am not saying that a brute-forceable lock is not pickable, but that those are independent since every lock is brute-forceable. Sure, devil is in the details, and what seems like brute forcing is sometimes something smarter, but only when you are able to reduce the problem space from the full set of combinations would I say you are picking a lock.
Again, maybe I am totally off base with regards to terminology as used in lock picking circles, but this is how I would differentiate between different approaches.
You quite literally said it's not pickable and not even lockpicking at all, and have even reiterated as much in this new comment, so please don't pretend otherwise.
> but only when you are able to reduce the problem space from the full set of combinations would I say you are picking a lock.
All of the dictionaries and an entire industry of professional locksmiths disagree with that statement. Given that you've twice admitted to having "no clue about locks," I'm not sure why you continue to insist that uninformed personal opinions are somehow factually obvious.
> Sure, if a particular lock is more prone to brute-forcing due to its design than an average lock (eg. side channel attacks like timing attacks with passwords), one could surely qualify that as a pickable lock (or a "weak" password scheme).
You keep trying to apply the concepts of digital authentication to locksmithing, but they're just not applicable in the way you're describing. The "average lock" doesn't exist, and certainly can't be used as a basis for determining the threshold of whether an entirely different lock qualifies as pickable.
As far as I can determine, your opinion boils down to believing that successfully brute-forcing a lock with only 100 possible combinations does qualify as lockpicking, but successfully brute-forcing a lock with 1,000,000 possible combinations somehow doesn't qualify as lockpicking.
I'm not sure how that position is justifiable, made worse that the lock being discussed is notably prone to brute force and within a very reasonable amount of time. So, if "weakness" is your qualification for a lock being pickable, then you're arguing against your own assertion that this lock is unpickable.
I think you have a problem with me communicating using (formal) logic.
If I say that A (lock is brute-forceable) is true, I am not making a statement on whether B (lock is pickable) is true: it could be either true or false. When I say that B is not true when A is, it means that B does not follow from A.
As an admittedly non-expert, I find it useless to consider something that's a tautology (always true, lock is bruteforceable) as a special skill (lock-picking), and I complain of the terminology. IOW, it is my personal opinion that this is a useless terminology if it's used like that.
> As far as I can determine, your opinion boils down to believing that successfully brute-forcing a lock with only 100 possible combinations does qualify as lockpicking
But I explicitly clarified my position, and you even quote that twice:
Which means that a lock with 100 combinations, and you try all 100 of them, you are not lock picking, but if you reduce that to trying out 50 combinations, then you are (again, I hope I don't have to highlight how this is my opinion of the terminology: I am repeatedly claiming I am no authority, but I can still have an opinion on language, along with the argument I am presenting).
I apologize if my use of somewhat general language confuses you: my background in formal maths influences the way I communicate sometimes.
The problem is that what you're saying is contradictory to itself. You're conveniently ignoring all of the flaws being pointed out, and instead reiterating the same argument ad nauseam, while also moving goal posts and morphing qualifiers as needed.
> but only when you are able to reduce the problem space from the full set of combinations would I say you are picking a lock. Which means that a lock with 100 combinations, and you try all 100 of them, you are not lock picking, but if you reduce that to trying out 50 combinations, then you are
The fundamental concept which you keep acknowledging but refuse to accept, is that brute force is a reduction of the problem space. In fact, it's a >99% guarantee to be reduced. Whereas the other lockpicking methods with a reduced space are not actually guaranteed to defeat the lock in a shorter amount of time, if at all.
You even acknowledged in your first comment that brute-forcing a limited set will, on average, require half as many attempts. Since your qualification for being pickable is that the problem space is reduced by half, then brute-forcing meets your definition of lockpicking half of the time. At that point, it's irrefutably classifiable as lockpicking, with the understanding that other methods may be more (or less) effective.
And you're still ignoring that the entire point of the lock being discussed is that traditional lockpicking methods wouldn't work. At all. Yet, when presented with an option to defeat the lock in less than 4 hours, your reaction was to repeatedly state that it doesn't even count as lockpicking. I don't know what else to say.
I am not ignoring it: I was bringing a point on terminology, not on this particular lock or lock-picking methods.
You seem to be unable to accept that people tend to and do use different terminology for same things, or same terminology for different things.
> Yet, when presented with an option to defeat the lock in less than 4 hours, your reaction was to repeatedly state that it doesn't even count as lockpicking. I don't know what else to say.
You need not say anything else, because I like to consider this a design idea, rather than a lock on a non-existent doors.
What would be the effect on the time to "lockpick" exactly the same type of lock but with two more or double the number of pins (as an obvious counter measure)?
Remember that this is a proof of concept lock and there are no doors it protects, so any actual implementation should be able to easily apply obvious extensions where higher security is needed. Again, it's not about this particular lock, but if there is an obvious scalability to the design, a lockpicking method only works if it scales linearly (like with regular pins, where you only test each pin individually).
Yeah, I don't accept your terminology, and you don't accept mine (no matter how you try to stretch it how it being half on average is reducing the problem space when it's not: that's rudimentary math, and when you reduce the problem space in a smart way, it applies to each method: eg. testing individual pins, you'll find them on average in half the attempts...).
I do struggle to understand why are you so keen to convince others how your use of terminology is the only acceptable use: it's ok to agree to disagree.
You declared an entirely new definition for lockpicking which is contradictory to all accepted definitions of lockpicking, and then used it to repeatedly insist that the lock being discussed isn't pickable. Your comments are public and what you said is clearly visible, so please stop creating new realities when holes are poked in the previously concocted one.
> You seem to be unable to accept that people tend to and do use different terminology for same things, or same terminology for different things. [...] I do struggle to understand why are you so keen to convince others how your use of terminology is the only acceptable use: it's ok to agree to disagree.
You appear unable to accept that there is an entire industry of locksmithing experts and 100% of them use the same terminology. You are insisting that your invented definitions based on zero locksmithing knowledge should be more relevant than the actual definitions standardized over 4,000 years by hundreds of thousands of experts.
The rest of your comment consists of even more bizarre new definitions for lockpicking and mathematics which contradict reality, and veers even further away from the actual topic being discussed. I refuse to engage with it, because you are making all of your arguments in bad faith. If you can provide any shred of evidence for any of your claims about lockpicking, logic or math, I'll happily concede. But we both know that evidence doesn't exist.
Good job and keep at it, you'll certainly make everyone right on the internet again.
You can however use other properties of the lock to avoid brute forcing it, and get more like a gradient descent:
A blank key will be scratched by pins that are set at the wrong height, and you can keep filing and scratching till it's at the right value
I could imagine each attempt to rotate the cylinder could partially compress a spring-loaded lever. There could be some sort of ratcheting return mechanism that allows the spring to decompress at a known rate (think a kitchen timer). Once the spring is compressed beyond a certain point (e.g. after 5 failed attempts), a mechanism locks out the cylinder until the return mechanism allows the spring to decompress back to its starting position.
If the lockout happened after 5 failed attempts, and the lockout duration was 10 minutes, an attacker could test at a maximum rate of 30 combinations per hour. It would take 64 days to check all 46,656 possible combinations, or 32 days on average to find the solution.
You would need successful uses of the key to reset the ratchet or every 5 times you opened your door it would become inoperable for 10 minutes, assuming the spring for the timer hasn't rusted or got a bit of grit in it or whatever.
- Each [failed] attempt to rotate the cylinder could partially compress a spring-loaded lever.
- The return mechanism would always return if not in its resting position, not only after each 5 failures.
- Successful attempts immediately reset the spring.
In the YouTube video explanation around 2:30, when individual positions (not sure if it's the correct word: talking about the different parts of the lock's inner array moving based on the position of the key/pick) are picked, why doesn't the inner mechanism at snap back to its initial state by the spring's force when key/pick is moved out of that position?
And how do they reset when lock is turned and unturned back to initial rotation state if they don't reset when individual positions are released?
(Sorry if I used a terribly wrong terminology)
If a pin is pushed up completely, and you turn the lock slightly, the pin can get stuck in the right position.
This is done with a torsion wrench, keeping torsion on the lock while trying to get the pins in the right position with picks, hooks, or rakes.
LockPickingLawyer has picked just about any and every single lock there is known to mankind. Would love to see him up against this!
Would make for some great content.
He's very good, but he's not infallible. He just doesn't show his failures.
But nobody is going to buy a single thing that the insurers haven't approved.
1: “Here is a thing you are all familiar with”
2: “What if we thought about it DIFFERENTLY?”
3: “Here is the new yet intuitive way to think about it”
4: (Applause. Audience leaves with a easy-to-understand story to tell at cocktail parties)
Great work, and very cool lock.
So, not actual implementation of a lock.
If computer security has taught me anything, unhackable/impenetrable claims, cyber or physical, should be met with skepticism.
Nothing is unhackable/impenetrable. period.
Often, protocols or constructions on top of these cryptographic primitives may have proofs that unconditionally reduce their security to the security of the primitives ("breaking this is at least as hard as AES", normally because "if you could break this, you could also break AES"), or in some cases proofs that do this by making only comparatively uncontroversial mathematical assumptions.
This is a good situation to be in, all things considered, and way better than the past, but it's not an ideal situation!
You can always just guess keys. The aim of most secret key cryptography is to make sure there aren't much better strategies than that to break it, or if there are that the key sizes are sufficiently big it doesn't matter.
With OTP you can't guess keys, as there is a valid key for any possible message. It is unbreakable without the original key.
Is it can be opened with a key, there's nothing stopping something else emulating that key - even if resorting to brute force until the key pattern matches.
Ok, so maybe covert entry is harder. Do you care THAT much about covert entry? If you care that much about covert entry, do you also have video monitoring?
Security solutions need to be used in context.
In 90% of situations a bad actor will probably just use brute force. There is something to be said if this isn't bump-able/pick-able, in that at least you won't have the situation where a potential bad actor gains "covert" access, and so people think they're supposed to be there, as opposed to them kicking down the door, but the number of scenarios where that actually matters is slim.
And that hitting something with a sledge or smashing a window would both activate alarms, and just, be really loud regardless.
Yes, there is places without windows and with reinforced doors
Even setting that aside, impressioning attacks require only seconds at a doorway for each step in the process, this defeats that attack.
bump keys only requires ~30 seconds if you are lucky, this defeats that
And yes DoD has security cameras, most places do actually.
Agreed - this is exactly the threat model that I'd be looking to block as a purchaser. Had a friend show me how to pick a cheap lock in < 30 seconds - it was laughably easy.
For some strange reason North American homes have the worst locks I have ever seen. Very little high security locks. In Finland, something like 90% of installed locks are beyond the skills of LockPickingLawyer (he could drill them of course).
If you are willing to pay little more, it's relative easy to buy a high security lock (or padlock) that is never pricked even by hobbyists.
My design tried to avoid it being possible to interact with any of the components storing the code before the pins are isolated. I did this by having two styles of pins (normal vs. T-shaped), and an insertable bar in a specially-cut slot, which checked the right combination of pins were along for the ride.
Enclave seems like a much more sensible design in terms of implementation elegance and reliability. This is even more stark compared to other even more complicated designs I have seen. Versus my concept, it also makes it possible to have more than 1 bit per slot. To be completely cautious, however, and fully obsolete those other designs, it would make sense for the top pins to be very slightly spooled along their full length, such that the cut is guaranteed never to touch the sidewall.
Yes. If you're willing to have a really big lock, it's much easier to make room for a two-stage mechanism where the keying info is stored before use. I'd thought about a lever lock like that, but the thing would need a huge box in or behind the door.
There's a possible vulnerability here. This thing may be susceptible to comb picking. The spring channels look to be too long. If you can push the pins up beyond their normal travel, to where the disk stack reaches the top bar, then push the rear actuating pin to operate the top bar, the lock should open.
Master Lock is known for making this basic error in lock design, as Lock Picking Lawyer has pointed out. This is a fixable design mistake. You just have to have something that prevents the pins from being pushed too far.
An insert, aka. a rectangular metal bar with cuts in it, is inserted into a slot cut down the side to define the check key.
The pins are either a standard pin, ⣿⣿, or a T-pin, ⢹⡏. The core is cut all around with a groove like ⣿⣆⣰⣿, which they ride at different heights.
If the insert is shaped like ⣿⣶⣶⣿, it blocks the T-pin, but the standard pin can ride over the top. If the insert is shaped like ⣿⣇⣸⣿, the T-pin rides through the gap, but the standard pins catch.
Again, details like depth and offsets matter, because you don't want it to be bumpable with fast or angry rotations, or for the two pin types to lock at distinguishable offsets, and you don't want it to be jammable. Boring standard fixes can deal with comb attacks.
Enclave, OTOH, does need a bigger body, but it's merely a bit taller, nothing radical, and it's very easy to manufacture. It already has inserts to prevent comb attacks.
For example, one that is unlocked by inserting a key consisting of only a blade and no bow (handle) fully into a slot before operating a mechanism (separate from the lock mechanism) that, in order:
1. covers the slot through which the key was inserted,
2. slides one wall of the slot aside to reveal a bank of pins that then come into contact with the bitting of the key,
3. if the key is a match, enables further operation such as movement of a deadbolt.
The mechanism is then reversed to release the key, which is ejected like a floppy disk / SIM card. Since at no point are the pins exposed to air from the outside world, it becomes impossible to actively move them or probe them for information.