I was recently reminded of this.
A couple decades ago, I wrote a short paper that described how the basic approaches of cryptography and computer security lead to an efficient and practical privilege escalation attack against master-keyed mechanical locks, which I published in IEEE Security and Privacy (a nerdy computing technical journal).
https://www.mattblaze.org/papers/mk.pdf
TL;dr: Master-keyed locks have fundamental, exploitable weaknesses.
But I wasn't ready for what happened next.
1/
Unexpectedly, my paper got some press attention. @jswatz_tx found it and wrote a short piece in the NY Times.
And then locksmiths freaked out. I mean completely lost it. They were very upset, not so much that a very common lock design had a basic security flaw, but that an "outsider" found it and had the poor moral character to make it public.
I started getting weird death threats. They doxed me ("let's see what kind of lock the bastard has on HIS house")
2/
A trade publication called The National Locksmith ran monthly guest editorials in which prominent members of that profession were invited to denounce me. My favorite quote, from a locksmith named Billy Edwards, who had written a book on master keying, and who took my paper rather personally.
3/
I should point out that master keying was about a century old at the time, and while the mechanical details weren't secret, locksmiths tended to regard the inner workings of locks as "restricted knowledge", rather like a medieval trade guild. I didn't understand this.
What took me by surprise was how different the physical security wold's attitude was compared with that of my community, where the ethics of discussion of vulnerabilities has long been essentially settled in favor of openness.
4/
Essentially, their argument was that this would be a huge pain and expense to fix, and so we are all better off just keeping it on the down low. And that kind of worked, for about a hundred years, until more open communities - like computer security research - started looking seriously at locks (as both metaphors and as interesting mechanisms in their own right).
I see their point, even if I personally reject it. But in the age of the Internet, you just can't keep this kind of stuff secret.
5/
Anyway, my intent in looking at locks and publishing my paper wasn't to disrupt the lock industry. I believed, as I still do, that mechanical locks and physical security have quite a bit to teach computing, but also that the abstract techniques of cryptography and computer security can illuminate weaknesses that are hard to see when looking at systems in strictly mechanical terms.
My attack is intuitive and obvious to cryptographers, but rather subtle without our field's tools.
6/
I never did reach a truce with the locksmiths. A couple years later, I met Billy Edwards, the author of that editorial denouncing me, at a trade show, and when he learned who I was he refused to shake my hand and asked me to leave him alone.
I wish he had seen things differently, but I can respect that he was coming from a place of genuine concern, even if I think his approach was wrong.
To this day, I worry that I'm pretty screwed if I get locked out of my house.
7/7
NB: While I never intended to piss off locksmiths with my master keying paper, I did write a followup a couple years later about safes and safecracking, partly out of spite.
https://www.mattblaze.org/papers/safelocks.pdf
TL;dr: We can learn a lot from safes and safe locks, and the frameworks of cryptography and computer security are applicable there, too. The fact that our learning about this subject makes people in that industry upset is just a bonus.
It occurs to me that people outside the security field might find it odd that we openly publish stuff like this. Why help people who might use the knowledge to do bad things?
There are a number of reasons. The first is that only through open discussion are we able to identify and fix problems. Another, which is what motivated my work, is educational: you can't learn to defend systems unless you understand how they are attacked.
The bottom line here is that while being the subject of attack by a deranged internet mob is never fun, sometimes it's the cost of doing business for doing interesting work.
And for those who yell at me for posting black and white photos or not putting content warnings on discussions of current events or not using enough hashtags or whatever, don't bother. I've stared down angry locksmiths and come out the other side.
I've gotten a few replies asking me if I regret publishing this or would do anything differently.
No. I'm proud of this work. I think it has value. I would do nothing differently. I am, evidently, remorseless and incorrigible.
@mattblaze you know, it's probably your work and similar that led to a more open world of locksmithing where you have people like The Lockpicking Lawyer doing full teardowns of fancy locks on their site, where locksport continues to be a popular (if somewhat niche) pastime, and where - one hopes - physical locks continue to evolve more securely.
So anyhow, thank you for publishing that paper. The people who got pissed off were just coming from an older way of thinking about things.
@mattblaze
Thanks for sharing this story - lots to learn here, and translatable to many guilded communities. But, I find myself wondering if, even if more openly discussing security after your work, the locksmith community ever remedied the master keyed lock flaw? Or was it really too expensive to make it practically unfixable?
designs that are trivial to bypass or get in to is way too high, and many lock manufacturers just haven't bothered to make their stuff more secure
I believe this is another important aspect of, and reason for, bringing responsible disclosure, or any disclosure at all, to the realm of physical security.
How do locksmiths expect the general security baseline to improve, if not by putting economical pressure on manufacturers? Build shitty locks, people eventually can realize they're flawed, so they can choose to not buy 'em anymore.
And don't anyone dare arguing "well, everyone should pay a licensed professional to choose each and every lock that is moderately important" โ that's some secret guild level choke-hold of the commoners, by literal gatekeeping. :)
Endangering practically everyone long-term, while impotently and ineffectively imploring manufacturers to build better locks, isn't a gloriously effective prospect.
Thank you for that paper, @mattblaze !
The issue is not "how can I protect my 42 Rolex from thieves?" but "Why must a thief pick my 42 Rolex?", bringing to ask "Who taught to this person that to have 42 Rolex is good?", i.e. "Who invented the competition based on the possession of things?".
@mattblaze :-) Iโll look up the papers, thanks! โฆ I wonder if a perspective here is that the entire idea of โprivileged knowledgeโ is, basically, tremendously morally dubious. You note several problematic outcomes of it.
I think there is a distinction to โsecretsโ. We understand a secret is only secret when it is kept secret. We donโt expect others to respect the secrecy, that duty is on us.
With privileged knowledge there is some sense of requiring others to align with our own ideas. โฆ I just canโt see that leading to healthy incentives, and it seems pretty guaranteed to create unfortunate power imbalances?
Maybe someoneโs already written about this clearly, because I donโt think Iโm managing to!
@ax11 @mattblaze I agree with this, but Iโm suggesting maybe we can make a stronger statement, beyond just the realm of security, that โprivileged informationโ is problematic.
Thinking of historic examples, weโve got the power of the church amplified by the bible being in Latin, and also being very expensive to copy. I think there are lots of examples of knowledge hoarding in libraries, prior to this being more open. There are also lots of cases of manufacturing knowledge being kept private to block competition.
In these cases, itโs been rational for some group to maintain privileged information, but it seems hard to claim this has benefitted people at large.
@mattblaze The locksmiths need to stay in more, and enjoy a few fun YouTube videos from the LockPickingLawyer, who has not only picked every lock in sight on camera, and insulted nearly all of them, he has, or used to have, a side hustle selling the kit he uses.
This cat will not get back into the bag.
This channel aims to educate consumers about weaknesses and defects in security devices so they can make better security decisions. It should go without saying, but Iโll say it anyway: do not use any of the information presented in my videos for illegal purposes. My mailing information is below. Do NOT send anything you want back unless Iโve agreed in advance to do so. LockPickingLawyer P.O. Box 215 Damascus, MD 20872 USA Please note that I do not recommend locks, nor do I provide assistance in opening them. For advice getting started in locksport, I recommend the โUniversityโ at LockLab.com. For all other inquiries, email me (channel name at gmail). One final note - I usually receive over one hundred emails each day, and though I spend a couple hours a day answering emails, I canโt answer them all. Apologies in advance if your email is one that slips through the cracks. https://www.twitter.com/lockpickinglwyr https://www.instagram.com/lockpickinglawyer
@mattblaze If nothing else, your future is assured as a viral sensation.
Locksmiths HATE THIS GUY... find out how to break locks with that ONE SIMPLE TRICK!
@mattblaze I realized the problems with master keying back in the mid-80s in college, so I figure it had to be common knowledge then or thieves would be too stupid to breathe. That includes the practical vulnerabilities of just swiping a copy of the master or making a bump key.
I wonder how many things are relatively secure only because even the bad guys dismiss the attack as "Nobody would be brain-dead enough to leave _that_ in there...".
@tknarr @mattblaze Before the computer hacking scene a very big thing, I learned (possibly from one of Feynman's autobiographies) that locks are only there to keep honest people from being momentarily tempted. Any dishonest person is going to find a way to break the lock eventually.
Feynman (probably also a sex pest, so we can't call him honest), demonstratesd this sense of transparency in the mid-20th century by breaking into things and then telling his superiors โ at Los Alamos while helping to develop the nuclear bomb. Of course, they didn't handle this well either.
Given this principle, the goal of locks then becomes not about stopping a thief, but making it take as much time as possible to break in, during which, they are likely to be caught using your many other methods of deterrence.
I've found this good advice, not just wrt locks.
@mattblaze imagine if YOU took their offense offensively. Talking about what computer systems locksmiths used, where they live old and so on.
Apparently that didn't occur to them so I see where that angriness comes from ๐๐๐
@mattblaze I'm sure someone else in one of these comments has mentioned this, but there's a guy on YouTube going by the name Lock Picking Lawyer and he does videos on how to pick locks all the time, showing vulnerabilities in his videos. He even sells lock picking tools.
Also, I think you did the right thing. For what it's worth.
@mattblaze this reminds me of โmagicians never reveal their secretsโ versus โyouโre a performer โ if youโre good, it shouldnโt matter if they know how it worksโ.
But the most interesting part was that I was expecting some kind of especially clever approach here, but it was something I would consider obvious. Expressed very well, with great cross-referencing of terms from cryptology, infosec and locksmithing!
But nevertheless, the idea that it was some sort of โgreat secret revealedโ is just silly. Secrecy is hardly viable for something that can be guessed from a few sentences of describing how master keying works.
@mattblaze I'm fond of the phosgene gas argument to all of this personally.
Phosgene is a hideous chemical weapon that ideally nobody should know how to make in their back yard. It's also what you get if you weld metal that you cleaned with brake cleaning fluid and didn't then clean the brake cleaning fluid off.
So you have a choice, you can either kill lots of welders, or you can teach welders how to make phosgene gas.
Obscurity is just externalising costs and risks.
@mattblaze I've always assumed that crime syndicates (and freelancers) all sent some bright younger members to locksmith school where they could pick up the latest tradecraft that they could then flip for their own nefarious uses. As I've been assuming about computer security folks.
And, continue to let the information flow. It wants to be free.
@mattblaze You lost me here, because it seems like you're trying to conflate "security through openness" with "lack of netiquette". As the Aussies say, "yea nah".
Frankly, as someone who followed you back on the tweeters long ago, this seems uncharacteristically illogical, even petulant. CWs and alt texts are good, actually
criminals will get the info. making sure everyone else has the same info to level the playing field is to the benefit of all. openness, transparency, and education help the majority more than it enables the criminal.
@mattblaze So ... they [the locksmiths] had a hundred years to try to solve the problem, but didn't?
That kind of deflates the "this is serious because it takes longer to fix physical vulnerabilities" argument ...
Indeed. Almost as if solving the problem that way was untenable, and they knew it, and were relying on obscurity instead of solving the problem a harder way.
This is a cybersecurity metaphor.
@mattblaze Now I'm wondering why you were recently reminded of this.
Like, are there reports of a wave of burglaries that happened suspiciously around the same time a bunch of infosec academics lost their NSF grants?
Matt Blaze
Mike Ely
Brad Rosenheim
Senil
Gyroplast
M.S. Bellows, Jr.
Fractal Kitty
Greg
rag. Gustavino Bevilacqua
Benjohn
B-TR3E
Ben Cox
Steve's Place
Techokami
Laurent Bercot
Rasta
Jonathan Yu
Todd Knarr
Mx. Luna Corbden ๐ธ
Pxl Phile
glasspshr
Maria Langer | ๐๐๐ต๐ฅ๏ธ
GinevraCat
s0 Is Not A Sysadmin
Adolfo Neto
The Penguin of Evil
ShutterBugged
Casey
Kevin Karhan 
Bodling
Witch
Steve Bellovin
Quinn Norton
Wild Eyed Boy From Freecloud
Seachaint
Misuse Case
EndlessMason
Paul_IPv6
Randy Hughes-King
Bob Blaskiewicz ๐บ๐ฆ ๐จ๐ฆ ๐ฌ๐ฑ
Royce Williams
dr2chase
Pavel Machek
LAHosken ๐บ๐ธ๐
M Dell