Essentially, their argument was that this would be a huge pain and expense to fix, and so we are all better off just keeping it on the down low. And that kind of worked, for about a hundred years, until more open communities - like computer security research - started looking seriously at locks (as both metaphors and as interesting mechanisms in their own right).
I see their point, even if I personally reject it. But in the age of the Internet, you just can't keep this kind of stuff secret.
5/
@mattblaze
Article passionnant à lire !
@mattblaze isn’t it like some kind of zero day exploit though. Some people may have been walking through locked doors using this method for decades or longer.
@mattblaze Did the locksmiths attack IEEE too or only you?
@mattblaze One might want to read up on Richard Feynman's safe cracking while he was working at Los Alamos during WW-II. He found that, if a safe was open and you fiddled with the knob on the lock, you could read the combination off of it - at least enough to make opening it trivial.
@mattblaze I worked as a Locksmith in college, and it's a really interesting group of people. Very conservative generally, insular to a fault. They DO feel like they are the sacred knowledge keepers of a mysterious artform, at least the older guys do. Back in their youth it was even a little true.
But information will get free no matter what. And they used their secrets like freemasons for a long time. In reality, it's just physical mechanisms, most of which can be figured out.
@mattblaze the last* paragraph of 2.1 seems fucked up (it starts in the middle of a sentence).
Of possible interest to you and other lockpickers @alice
@mattblaze Hey @alice , great thread here about master-keyed mechanical locks, that might interest you!
@mattblaze do you know if all master-keyed locks are still vulnerable today?
@mattblaze I just finished reading the paper, I started thinking that it would be hard to understand because full of terminology or math notion, but far from it, it was so nice to read, even for someone whose mother tongue is not English, like me.
Thanks for sharing the story.
Classic example of why "security by obscurity" is never a good idea. Fascinating story Matt.
Nowadays there are doors digital lockers that have no mechanical fallback.
Also those open office multiuser lockers have no fallback for loose knobs. In poorly maintained overused lockers, if previously setup pin doesn’t work on second attempt, automatically switch to master key manufacturer defaults like #101010# et al
@mattblaze It is quite delightful that your paper is cited as a source on Wikipedia's page on master keying.
Unexpectedly, my paper got some press attention. @jswatz_tx found it and wrote a short piece in the NY Times.
And then locksmiths freaked out. I mean completely lost it. They were very upset, not so much that a very common lock design had a basic security flaw, but that an "outsider" found it and had the poor moral character to make it public.
I started getting weird death threats. They doxed me ("let's see what kind of lock the bastard has on HIS house")
2/
A trade publication called The National Locksmith ran monthly guest editorials in which prominent members of that profession were invited to denounce me. My favorite quote, from a locksmith named Billy Edwards, who had written a book on master keying, and who took my paper rather personally.
3/
@mattblaze Just load new software? *cries in business requirements*
@mattblaze I thought master keys on physical locks are such a dumb concept and were an urban legend. Seriously?
@mattblaze oh, those sweet sweet innocent souls, no clue how deeply fucked up the world they live in really is 😂
@mattblaze that's a great story. Thanks for sharing it.
@mattblaze This is great news! I will share it with the teams who can’t manage to patch their systems.
@mattblaze it is a common failure mode. Our Post Office (counters, not mail delivery) embraced it when their Fujitsu software was obviously unreliable.
Bits of the health service, possibly of all health services fall into it sporadically.
The whole Administration of a major power are throwing it at themselves.
The Lock-Picking Lawyer is quite amusing.
I should point out that master keying was about a century old at the time, and while the mechanical details weren't secret, locksmiths tended to regard the inner workings of locks as "restricted knowledge", rather like a medieval trade guild. I didn't understand this.
What took me by surprise was how different the physical security wold's attitude was compared with that of my community, where the ethics of discussion of vulnerabilities has long been essentially settled in favor of openness.
4/
@mattblaze This post reminds me a lot about Operational Technology security. It is also non-trivial to fix certain security issues and they treat it like a kind of restricted knowledge. The physical system they manage was made by a company that no longer exists and it would be tens of millions of dollars to replace. But now things are ever more connected and networked. Knowledge of the process, as-in the plant’s process, becomes weaponizable information.
@mattblaze This isn't surprising, given the mechanical lock industry. A prominent lock company of "high-security" warehouse locks had a lock that could be defeated with a plastic card of the right softness/hardness. They supressed this info for 20 years by suing anyone who disclosed it into NDAship, until they finally couldn't anymore and went out of business.
Essentially, their argument was that this would be a huge pain and expense to fix, and so we are all better off just keeping it on the down low. And that kind of worked, for about a hundred years, until more open communities - like computer security research - started looking seriously at locks (as both metaphors and as interesting mechanisms in their own right).
I see their point, even if I personally reject it. But in the age of the Internet, you just can't keep this kind of stuff secret.
5/
@mattblaze it did work beyond the little issue that the bad guys with a certain "professional" level also did know about these.
There is always that stupid assumption that the good guys have a monopoly on knowledge and competent people.
I don't see any reasonable assumptions why that should be so it's not like capitalism is a meritocracy (or it would be called meritocratism) , the thing that you need to thrive is capital.
@mattblaze Like that thing with Hyundais and Kias where they took a security feature out to save money, relying on obscurity to keep it from being an issue, and then someone made a video about it on TikTok
@mattblaze as a woman who has lived alone I don't know that I'd buy it worked... Every problematic guy with a locksmith friend or some skills himself was probably terrorizing some ex girlfriend or ex wife, and we just never heard about it .
@quinn The very first thing I do when I encounter a friend in a condo or other residence with a master-keyed system is make them change the lock to one with a single key. If there's a real emergency, they can force entry. The repair isn't that expensive, and the peace of mind is significant.
Anyway, my intent in looking at locks and publishing my paper wasn't to disrupt the lock industry. I believed, as I still do, that mechanical locks and physical security have quite a bit to teach computing, but also that the abstract techniques of cryptography and computer security can illuminate weaknesses that are hard to see when looking at systems in strictly mechanical terms.
My attack is intuitive and obvious to cryptographers, but rather subtle without our field's tools.
6/
@mattblaze I had a similar experience in an unrelated area (except, of course, that it was @jswatz who also wrote it up). After downloading district court records, we discovered a large number of bugs: disclosure of names of minor children, of confidential informants, of medical records, and *tons* of SSNs and other IDs. The courts went ballistic, they were convinced that the PACER paywall was protecting privacy and by disclosing the bug, I had blown their cover.
I never did reach a truce with the locksmiths. A couple years later, I met Billy Edwards, the author of that editorial denouncing me, at a trade show, and when he learned who I was he refused to shake my hand and asked me to leave him alone.
I wish he had seen things differently, but I can respect that he was coming from a place of genuine concern, even if I think his approach was wrong.
To this day, I worry that I'm pretty screwed if I get locked out of my house.
7/7
ROTFLMAO
"inexperienced amateurs when it comes to physical security"
followed by
"it is a simple to fix a security problem, you just load new software"
thus failing to prove their point but proving that they are "inexperienced amateurs when it comes to software security"...
security through obscurity didn't work for high priests in ancient times, nor has it ever worked well since.
![...It [Blaze’s master keying paper] shouldnt have been
published, because the only people it will educate are the
dishonest who will use it to compromise security.
Locksmiths dont have to be surreptitious ...
... No, we can t call him a moron because he is obviously
intelligent, after all he did grasp the concepts of master
keying. We can however, see that he is an inexperienced
amateur when it comes to physical security. In his
computerized world it is a simple thing to fix a security
problem, you just load new software...
— from a guest editorial denouncing me in The National Locksmith (June
2003)](https://cdn.masto.host/federatesocial/media_attachments/files/115/800/351/122/168/173/original/680b5fdff18b0aa3.png)
