I was recently reminded of this.

A couple decades ago, I wrote a short paper that described how the basic approaches of cryptography and computer security lead to an efficient and practical privilege escalation attack against master-keyed mechanical locks, which I published in IEEE Security and Privacy (a nerdy computing technical journal).

https://www.mattblaze.org/papers/mk.pdf

TL;dr: Master-keyed locks have fundamental, exploitable weaknesses.

But I wasn't ready for what happened next.

1/

Unexpectedly, my paper got some press attention. @jswatz_tx found it and wrote a short piece in the NY Times.

And then locksmiths freaked out. I mean completely lost it. They were very upset, not so much that a very common lock design had a basic security flaw, but that an "outsider" found it and had the poor moral character to make it public.

I started getting weird death threats. They doxed me ("let's see what kind of lock the bastard has on HIS house")

2/

A trade publication called The National Locksmith ran monthly guest editorials in which prominent members of that profession were invited to denounce me. My favorite quote, from a locksmith named Billy Edwards, who had written a book on master keying, and who took my paper rather personally.

3/

I should point out that master keying was about a century old at the time, and while the mechanical details weren't secret, locksmiths tended to regard the inner workings of locks as "restricted knowledge", rather like a medieval trade guild. I didn't understand this.

What took me by surprise was how different the physical security wold's attitude was compared with that of my community, where the ethics of discussion of vulnerabilities has long been essentially settled in favor of openness.

4/

Essentially, their argument was that this would be a huge pain and expense to fix, and so we are all better off just keeping it on the down low. And that kind of worked, for about a hundred years, until more open communities - like computer security research - started looking seriously at locks (as both metaphors and as interesting mechanisms in their own right).

I see their point, even if I personally reject it. But in the age of the Internet, you just can't keep this kind of stuff secret.

5/

@mattblaze This isn't surprising, given the mechanical lock industry. A prominent lock company of "high-security" warehouse locks had a lock that could be defeated with a plastic card of the right softness/hardness. They supressed this info for 20 years by suing anyone who disclosed it into NDAship, until they finally couldn't anymore and went out of business.

Anyway, my intent in looking at locks and publishing my paper wasn't to disrupt the lock industry. I believed, as I still do, that mechanical locks and physical security have quite a bit to teach computing, but also that the abstract techniques of cryptography and computer security can illuminate weaknesses that are hard to see when looking at systems in strictly mechanical terms.

My attack is intuitive and obvious to cryptographers, but rather subtle without our field's tools.

6/

@mattblaze The excuse the industry has always used is that it's a major logistical effort to replace/upgrade thousands of physical locks when a hack is reported, so they need years of secrecy to do so. Of course, they instead use that secrecy to not do anything at all.

Kryponite locks is possibly the only exception to this.

I never did reach a truce with the locksmiths. A couple years later, I met Billy Edwards, the author of that editorial denouncing me, at a trade show, and when he learned who I was he refused to shake my hand and asked me to leave him alone.

I wish he had seen things differently, but I can respect that he was coming from a place of genuine concern, even if I think his approach was wrong.

To this day, I worry that I'm pretty screwed if I get locked out of my house.

7/7

@mattblaze I had a similar experience in an unrelated area (except, of course, that it was @jswatz who also wrote it up). After downloading district court records, we discovered a large number of bugs: disclosure of names of minor children, of confidential informants, of medical records, and *tons* of SSNs and other IDs. The courts went ballistic, they were convinced that the PACER paywall was protecting privacy and by disclosing the bug, I had blown their cover.

@carlmalamud @jswatz Exactly what I'd expect from a "copyright terrorist"!

@mattblaze @jswatz Hah. you think the Administrative Office of the US Courts doesn't like me, you should try mentioning my name at ISO headquarters.

@mattblaze @jswatz Here's John's piece. https://www.nytimes.com/2009/02/13/us/13records.html?unlocked_article_code=1.AVA.FUKV.C1Gdr5H_8nxF&smid=url-share He did a terrific job. The AO liked it so much, they called the FBI (for the second time!). Jeesh. No sense of humor.

@mattblaze What's really funny to me is this 1853 book that Ches and I quoted in the first edition of "Firewalls", about whether it's proper to discuss vulnerabilities in locks.

@fuzzychef I thought PACLOCK was another; am I misinformed?

NB: While I never intended to piss off locksmiths with my master keying paper, I did write a followup a couple years later about safes and safecracking, partly out of spite.

https://www.mattblaze.org/papers/safelocks.pdf

TL;dr: We can learn a lot from safes and safe locks, and the frameworks of cryptography and computer security are applicable there, too. The fact that our learning about this subject makes people in that industry upset is just a bonus.

@carlmalamud @mattblaze @jswatz I remember when once upon a time I mentioned your name to Bruce Lehman, then of the USPTO.

He had been pontificating before a bunch of IP lawyers, making many of those lawyers quite angry, as he said that "his customer" were those filing patents. He directly and clearly dismissed that his job was to serve the citizens of the US - they were not his "customers".

Anyway, he turned bright red with anger at the mention of your name. I thought he was going to launch his hair (or wig) to the ceiling.

@karlauerbach @mattblaze @jswatz LOL. Not sure if I had heard that story. I can tell youanother . There was a meeting in the White House with the Vice President at one end of the table and Commissioner Lehman at the other, and Gore asked him why he couldn't put the patents on-line for free "like Carl is doing." Lehman got red in the face and started yelling at the VP, ("you would have to order me to do that!") which I think certainly was a breach of protocol and decorum.

@carlmalamud @karlauerbach @jswatz Good thing laws and patents and stuff aren't freely online now, or the economy would have completely collapsed by now. Oh, wait...

I wrote that paper after I had moved from AT&T Labs to U. Penn. The Penn locksmith went totally apoplectic, and wrote regular angry letters to the dean and to the head of campus security warning about what an irresponsible, dangerous menace I am. But for whatever reason, his efforts were unsuccessful in getting me fired; the administration just forwarded me his letters, which I taped to the door of my office.

@mattblaze So ... they [the locksmiths] had a hundred years to try to solve the problem, but didn't?

That kind of deflates the "this is serious because it takes longer to fix physical vulnerabilities" argument ...

It occurs to me that people outside the security field might find it odd that we openly publish stuff like this. Why help people who might use the knowledge to do bad things?

There are a number of reasons. The first is that only through open discussion are we able to identify and fix problems. Another, which is what motivated my work, is educational: you can't learn to defend systems unless you understand how they are attacked.

So while openly publishing offensive security techniques might indeed help criminals, that harm is outweighed by significant benefits. Every properly trained computer science student should understand how to exploit vulnerabilities. Because the attackers DEFINITELY understand it.

@mattblaze do you know if all master-keyed locks are still vulnerable today?

@donelias Yep.

The bottom line here is that while being the subject of attack by a deranged internet mob is never fun, sometimes it's the cost of doing business for doing interesting work.

And for those who yell at me for posting black and white photos or not putting content warnings on discussions of current events or not using enough hashtags or whatever, don't bother. I've stared down angry locksmiths and come out the other side.

@mattblaze as a woman who has lived alone I don't know that I'd buy it worked... Every problematic guy with a locksmith friend or some skills himself was probably terrorizing some ex girlfriend or ex wife, and we just never heard about it .

@quinn The very first thing I do when I encounter a friend in a condo or other residence with a master-keyed system is make them change the lock to one with a single key. If there's a real emergency, they can force entry. The repair isn't that expensive, and the peace of mind is significant.

I've gotten a few replies asking me if I regret publishing this or would do anything differently.

No. I'm proud of this work. I think it has value. I would do nothing differently. I am, evidently, remorseless and incorrigible.

@mattblaze I think there is also a point to be made here about the importance of #OpenSource software and how software being closed source does not automatically make it more secure. If anything, closed source is less secure because it deprives independent researchers of the opportunity to poke around and find issues.

@vinay While that's a commonly repeated myth, no study has been able to establish any significant correlation between open (or closed) source and improved security. It doesn't seem to be an important factor in practice.

@vinay It's one of those things that both seems logical and that everyone wants to believe, but there's just no empirical support for.

@mattblaze you know, it's probably your work and similar that led to a more open world of locksmithing where you have people like The Lockpicking Lawyer doing full teardowns of fancy locks on their site, where locksport continues to be a popular (if somewhat niche) pastime, and where - one hopes - physical locks continue to evolve more securely.

So anyhow, thank you for publishing that paper. The people who got pissed off were just coming from an older way of thinking about things.

@me I'm not sure what the reason is (though I like to believe I was part of it), but I definitely agree that we're in a much better place today -with open discussion of physical security and an active community probing it and publishing about it - than we were 25 years ago.

@mcdanlj Not familiar with the incident.

@tychotithonus @mattblaze

Does that ever work? Are there cases where a large group of insiders knew about a problem in some field and quietly fixed it?

@cptbutton @tychotithonus @mattblaze wasn't there an improperly designed building in New York that was going to blow over of the wind hit it at a certain angle? They fixed it before the wind came at that angle and the public found out only later?

@poleguy @cptbutton That's a perfect example!

@mattblaze Matt, of all the people I have ever known, you are the one I’d be least worried about getting locked out of a building. (This may be because I do not yet really know @deviantollam other than via the occasional exchange here on the FediTubes.)

@20002ist @mattblaze Matt and I have known each other for what feels to me like 20+ years or so now and the fact that I haven't met you personally yet is a failing of mine that perhaps may yet still be remedied. ☺️👍

(A kind of wild footnote to the saga of his thread is the fact that I met another prominent person in the lock industry at a conference perhaps 3 years ago it was and somehow it sounded like he was STILL a bit salty about Matt's proper and mentioned him by name during a training I was attending. While it sounded like he may have softened slightly in his stance, he nonetheless still remembered the incident of Matt's paper pretty fresh in his mind as if it were yesterday.)

@deviantollam @20002ist A lot of them seem to still be clinging to this belief that they are an elite priesthood entrusted with safeguarding secret knowledge. They'd be so much more productive if they acknowledged the existence of the real world.

@mattblaze If nothing else, your future is assured as a viral sensation.

Locksmiths HATE THIS GUY... find out how to break locks with that ONE SIMPLE TRICK!

@mattblaze No wonder hotels went to electronic keys!

@LukefromDC @mattblaze there is another reason why they went electronic. Keys would timeout. No reason to worry about the old keys anymore. They could wipe out the keys from an employee with one tap.
There are a bunch of reasons besides just a flaw in a master key situation. Electrical does allow for more fine grain control. And allows for more than 2 keys floating around.

There is a down side to Electrical keys, the key on the key gets whipped sometimes. (Yes that happens more than you think, happened to me my last trip twice). This is due to nfc on the phone.

@mattblaze Damn, that's wild

@fuzzychef Not an incident, just that PACLOCK has been very friendly to locksport as far as I know. I thought they had taken feedback from the locksport community as well as giving awards for successfully picking their locks. But my memory is foggy and might be wrong.

@mattblaze I'd say s/genuine concern/blissful ignorance/ there.

Counting on something like that being a trade secret is just incredibly dumb. As if people interested in breaking into houses couldn't study locksmithing...

Being angry that someone published that is misdirected, at best.

@pavel

Indeed. Almost as if solving the problem that way was untenable, and they knew it, and were relying on obscurity instead of solving the problem a harder way.

This is a cybersecurity metaphor.

@mattblaze it did work beyond the little issue that the bad guys with a certain "professional" level also did know about these.

There is always that stupid assumption that the good guys have a monopoly on knowledge and competent people.

I don't see any reasonable assumptions why that should be so it's not like capitalism is a meritocracy (or it would be called meritocratism) , the thing that you need to thrive is capital.

@mattblaze You lost me here, because it seems like you're trying to conflate "security through openness" with "lack of netiquette". As the Aussies say, "yea nah".

Frankly, as someone who followed you back on the tweeters long ago, this seems uncharacteristically illogical, even petulant. CWs and alt texts are good, actually

@seachaint Bye.

@mattblaze precisely why we published this book (in 2004). Incidentally we still expected some trouble...and we got none. I think your view about "guilds" is accurate.

@noplasticshower @mattblaze @cigitalgem But remember the uproar when Dan Farmer and Wietse Venema released SATAN?

@SteveBellovin @noplasticshower @cigitalgem The reaction to SATAN was an extremely useful tool for identifying people I’d never want to work with.

@mattblaze I'm fond of the phosgene gas argument to all of this personally.

Phosgene is a hideous chemical weapon that ideally nobody should know how to make in their back yard. It's also what you get if you weld metal that you cleaned with brake cleaning fluid and didn't then clean the brake cleaning fluid off.

So you have a choice, you can either kill lots of welders, or you can teach welders how to make phosgene gas.

Obscurity is just externalising costs and risks.

@mattblaze Do your locksmith friends know about this guy?

https://en.wikipedia.org/wiki/LockPickingLawyer

I’ve watched some of his videos and it is surprising how easy it is to pick locks.

@Robgbysea That is a little bit like watching a recording of Nureyev in his prime and concluding it's easy to dance ballet.

@mattblaze

@graydon @Robgbysea @mattblaze _Some_ of the stuff he does is easy, so even if he always manages to open a lock, you can usually tell a lot about the quality of it.

If a lock can be opened with a simple shim or by raking it, stay away. If a video includes phrases like "the tool that Bosnian Bill and I made", it tends to be a decent lock.

@Uglesett @graydon @Robgbysea @mattblaze And security is ultimately an economics problem. If the lock on my bike is good enough the thief takes yours instead I win. If the lock is stronger than the rest of the security on something then it serves no purpose being better because I'll just take the other path, be it a sledgehammer or removing jewels from Parisian museums by going in somewhere else.

@mcdanlj Ah, I don't know about Paclock.

@carlmalamud @karlauerbach @mattblaze @jswatz
Interesting that NOAA went the other way to the great dismay of government weather "customers".

@mattblaze I get this all the time re: lockpicking. "Aren't you just teaching people to be criminals?". Well, to date, I don't know of anyone I've taught using the skill for evil, but I know a bunch have used it to increase their own security practices and to help others.

Security through obscurity isn't secure for long.

And I worry about all the folx whose first thought seems to be "if someone knows a secret, they'll use it for evil...but not me because I'm moral". It whiffs of the surveys that show that most people think they're an above average driver.

@alice @mattblaze @paul_ipv6 I’ve had to rescue my kids from behind a locked bathroom door, and get into my late mom’s filing cabinet when the key was lost. Did locksmiths lose a little money thereby? Sure, but I find it hard to feel sorry.

@wendynather @alice @paul_ipv6 I get the impression that a lot of these “security” concerns are about job security.

@alice @mattblaze

Fun fact, one of the very first things I did when I met @eniko in person was to pick the lock on her suitcase for her, because it had been damaged in transit. That was the only time I ever used them on anything besides the practice padlock I had

@Njord @alice @mattblaze it was the dang TSA lock too!

@mattblaze i was gonna say, this is like when people say “don’t signal boost fascists,” as though ignoring them will make them go away