Tough tumbler: Lock-picking vs. the pandemic shutdown
Hackers may be stereotyped as introverts, but at hacker conventions as big as DefCon to more local confabs, you’re almost certain to run across at least a few, and sometimes dozens, of hackers hunched over tables of metal locks and key cylinders, poking at their innards with thin metal picks and rakes.
The art of lock-picking, many of them will tell you, is hacker philosophy made real, but the longtime hacker sport has faced an uncertain future since the coronavirus pandemic shuttered the world’s social gatherings.
DefCon’s Lockpick Village this year, run by The Open Organization Of Lockpickers (TOOOL.us), was held entirely on a Discord chat server for DefCon’s online-only version of the conference. TOOOL.us representatives declined to comment about the DefCon event for this story.
READ MORE ON LOCK-PICKING
In post-massacre Vegas, security policies clash with privacy values
How to choose a hacking camp for kids
Default codes and the RemoteLock 6i: A cautionary IoT tale
Competitive lock-picking dates back to the early 19th century, when lock manufacturers would offer rewards to anyone who could break their wares. Within 50 years, there were public competitions to reveal how secure the latest locks were. The practice fell out of favor until computer hackers resurrected it in the early 1990s, and in 1997, the first modern-era competitive lock-picking group was established in Hamburg, Germany.
One thing that sets computer and online hacking apart from lock-picking is that the the analog counterpart requires a physical presence, says John Gordon, an early member of the Longhorn Lockpicking Club, based at the University of Texas at Austin. The club, with more than 550 members, would see between 10 and 20 attendees at its twice-monthly meetups before the pandemic.
Gordon, who, when he’s not making locks sit up and dance, is a senior cybersecurity risk analyst for the university’s Information Security Office, now runs the club—and says he’s declined to host online meetups because they are quintessentially an in-person experience.
“Online meetups never clicked with me. What we provide are people’s first lock-picking experiences,” he says. “A lot of it is feel. It’s like learning to ride a bike; if you get a certain feedback, you know that you’re getting close to picking a lock, and there’s no relation to digital tools.”
Lock-picking stakes can be high. Gordon says that when he bought his house, the first thing he did was change the locks because he recognized them as easily picked.
At its simplest, picking a lock requires a lock or key cylinder to unlock, and a pickset, a group of specialized tools that you insert into the keyhole to fidget with the pins inside the lock. Tweak them in the right order, and the lock opens. It’s analogous to finding software or hardware vulnerabilities in modern computing, in that the hacker is forcing the lock to open without the “official” key, but with the intent of learning more about the system, and ultimately making it safer—as opposed to pwning it for private gain.
But not all lock-pickers agree with Gordon’s reluctance to attempt to move the culture of lock-picking online. One of Gordon’s friends, California-based Eric Michaud, has a long history of lock-picking. Currently the CEO of Rift Recon, a security training and products company that includes lock picks and other penetration testing hardware among its wares, in 2005 he was the first to pick Mult-T-Lock’s set of stacked pins in a technique that cryptographer Matt Blaze named after Michaud. Soon thereafter, he co-founded the US chapter of The Open Organization Of Lockpickers and this year organized the online Lockpicking Village for July’s Hackers On Planet Earth Conference.
This story was originally commissioned by Dark Reading. Read the full story here.