Black Hat Locksmithing - When Locksmiths Go bad

[huxleypig]

And yet doing the opposite, and making your work public can lead to even worse consequences. Like my Abloy Classic Pick/Decoder - it was only up here on KP for about 3 weeks and it had already been declassified from its secret status and for sale to the public.

In my opinion this is not a bad consequence. This is a great achievement! Because now the public knows what can be done with the locks, what certain people were able to do in the past and has a more realistic knowledge how secure the lock is. It is very sadly that the people who know want to keep the public dumb.

I agree that it is a good thing that government tools are de-cloaked and the issues with locks are known. I just wish that it hadn't have taken such a big investment on my behalf for that to happen! Because I would not have bothered if I had have known. The Stasi made sure all the locks in East Germany were vulnerable to specific pre-known attacks!

I think there is a very strange dichotomy in the physical (and digital) security world. We have the users, and locksport groups who want to know the issues and fix the issues...then you have the lock makers whose only motivation for making things more secure/fixing issues is sales and financial. These are at odds. "For the good of security" is simply not a thing when it comes to lock makers, not in my experience.

[Lauren]

Hux, I feel your frustration. I have relieved some my own tension by writing books. Have you ever considered self-publishing? You don't have to go public on your copies, and it allows you to document your art and get things out of the closet. A book becomes something of a witness to your achievements.

[MartinHewitt]

I agree that it is a good thing that government tools are de-cloaked and the issues with locks are known. I just wish that it hadn't have taken such a big investment on my behalf for that to happen!

IMHO it was time well spent. Journalists also put a lot of effort into knowing things, even so they know that others already know these things.

[droshi]

Lauren, it is such a difficult dilemma, isn't it? Merely saying you have a tool that does x or y is enough to alert others to the fact that it is possible, which could lead to losing the idea, without ever even publicising the tool itself. And yet I really, really hate having to keep my best work hidden from view...but that is the reality right now and it is so very fucking frustrating. I know it is easy to say this, but you should see some of the stuff I have squirrelled away. Completely new NDE methods (or should I say, completely new NON-PUBLIC methods) of opening pin tumblers and lever locks and disc detainers...all sorts of crazy shit.

Josephus, I too sit on ideas and tools for years sometimes...but again, this can be a bad idea; I have an MCS opening system that has been sitting in Lockfall Towers for a few years, waiting until such a time as I can leverage it. But the fantastic Draukan found the same vulnerability, put it up on Youtube and now not only have I had to find a new method, but all that work and all that 'sitting on the tool' has been for (effectively) nothing now.

And yet doing the opposite, and making your work public can lead to even worse consequences. Like my Abloy Classic Pick/Decoder - it was only up here on KP for about 3 weeks and it had already been declassified from its secret status and for sale to the public. I asked everybody I knew if such a thing already existed and to a man, everybody said "no". I scoured long and hard, searching for any clue that the tool might already exist. There was none. So, confident I was doing something original, I embarked on a 6 year-long process that cost me a LOT of time, energy and money. Guess fucking what, it was there the whole bastard time. And not just the Safe Ventures tool either. Some of the guys I asked are/were (RIP Chris Belcher, you were a massive inspiration to me) very old, respected toolmakers from the UK, a couple of which do work for intelligence agencies. Nobody knew a thing about it.

I often equate it to artwork (because I consider the design and creation of locktools a form of artwork); imagine Mozart spending years writing his life's masterpiece. He unveils it at a grand ceremony to many plaudits. Then, a week later, Johan Strauss knocks on his door and tells him that his wonderful oeuvre is a total rip off of his own work, composed many years before. Whilst I do not place myself in the relative league of Mozart, I think my point still stands. I found the whole thing very distressing. I found it soul destroying.

So to summarise, it is not something that I will ever let happen again. Any stuff that I have shown since then are old versions of tools, very early prototypes or heavily redacted/obfuscated. Many of my concepts/techniques are still completely in the dark. So how do you get around this dilemma? Keep making stuff that only you will ever see or get to use? That is such a waste. I hate the way many of the government secret stuff never sees the light of day, if I were the inventor of some of that incredible stuff, I'd have to be pretty damn well compensated for that.

Greets to Camlock company, I'll be making a tool for your stupid octagon shaped locks. Yours truly, Hold-My-Beer

Lol, shhh Jaakko, their revolutionary re-design of the tubular lock centre-post is FAR too complicated to make a tool for!

Great talk hux! I certainly have the same dilemma now. The traditional thing is to patent such a novel invention, but then to be told it's not novel or to have your designs stolen without recourse is a sad to say the least. No wonder manufacturers have this locked up tight and control things how they want.

Keeping things in the dark isn't a long term strategy in my opinion, that much is clear, however what's not clear is how someone should be fairly compensated for such work that we do? Many have said after I picked the MCS that "if you could really do that, the manufacturer would pay you a bunch of money!" ...but it's now obvious, pay for what? Even though I did design a lock that prevents the method, it's clear they are far from interested.

I don't expect such a huge lottery winning for finding exploits, but a nice bug bounty makes a lot of sense. Just like covered in your talk, the physical world has a lot of catching up to do with the digital world. In the beginning, I think hackers did it just to see if they could, and in some ways, that's how I approached the MCS.

I may take just the opposite approach of keeping everything secret, and publish absolutely everything I find. I went to the manufacturer first to see if they were interested in patching such an exploit and was literally shamed out of the room for even expecting some amount of money for my ideas. In the end, maybe they do just get free R&D from us (shameful for THEM in my opinion), but I don't really see a way to force them to do anything. Only their consumers can demand something better. In the information age, obscuring information is not a good long term strategy in my opinion, though on a small scale it certainly works well.

[Oldfast]

Hux! I really enjoyed your talk, immensely. Very interesting topic that, as you said, is not talked of much.
I've read of safe technicians gone bad too... which can have some devastating results. Really well laid
out talk and very well done. Thanks for posting a link here - I would have never seen it otherwise.
Was also an exciting surprise to see one of my photos (picked Mogul) pop up in your slideshow
After knowing you here for some years, it was also nice to finally put a face with the name.

[huxleypig]

Hey Oldfast! Thanks for the nice words, I really enjoyed researching it. I'm sorry I didn't ask you to use your picture; I did try and get permission for every picture I used but I was running out of time and grabbed a picked Mogul from google.

[Oldfast]

Oh, no worries at all. I was elated to see it used. Anything I post
around here can be enjoyed and used by anyone and everyone.