Prodigal Sons & Responsible Disclosure

Price For Seroquel Online Clinic Discount VPXL India Where To Get Amoxil France Price For Norvasc Mail Purchase Aldactone Providence Where Order Clomid Australia Where To Get Amoxil Age Where To Get Amoxil NoRX Buy Tramadol CarsonCity Nexium Effects Discount Elimite Get High Cipro Purchase Lotrisone Cheyenne Where Order Elimite For Add Price For Diflucan Swaziland Discount Phentrimine Cheapest Pills Where Order Prevacid Drug Information Zithromax Weight Where Order Soma Proper Dosage Online Soma Price For Phentrimine Canadian Elavil Delivery Female Viagra Mail Price For Celexa United Kingdom Buy Acomplia SaintPaul Natural Aricept High Doses Antabuse Description Generic Norvasc Health Forum Plavix Prescription Price For Acomplia Prescription Plavix Shipping Where To Get Levitra Comparison Price For Lotrisone Side Effects Natural Tramadol Germany Stromectol Pharmacy Where Order Soma Free Samples Phentrimine With American Express Purchase Flomax LittleRock Zyban RX Price For Tramadol Australia Natural Lotrisone Drug Information Generic Lexapro Raleigh Herbal Hoodia India Where To Get Phentrimine Prescription Price For Amoxil Dosing Price For Zelnorm Free Samples Buying Female Viagra Nizoral Effects Where To Get Doxycycline Equivalent Generic Avapro Richmond

Prodigal Sons & Responsible Disclosure

I’ve never spoken directly to this audience about how I entered the world of Locksport. Back in 2006 I was attending the Hackers On Planet Earth (HOPE) conference with some friends. They dragged me along to a talk on lockpicking, a subject which had never held any attraction for me before that time. The talk was two hours long and featured Barry Wels and Marc Tobias. It was incredible. Barry, in particular, amazed me. He was like a very quiet magician on that stage. He spoke to the audience candidly while opening locks casually. Each time a lock popped it was thrilling to me, his relaxed manner, his absolute confidence that the locks would open, and his perpetual half-smile left an indelible impression.

Afterward I approached both men as they sat in the lobby of the Hotel Pennsylvania. I thanked them and asked Barry if he had any clubs in America. I mentioned that some friends of mine and I wanted to start picking locks together. He told me to come see him the next day and he’d give me all of the information I would need. So, at 3pm the next afternoon, on the last day of HOPE #6, I met Barry once again and he introduced me to Omikron, Eric Michaud & Eric Schmiedl. I remember they looked confused to have Barry introducing me. Before I could reflect on it he announced: “You four will be my Board of Directors for The Open Organisation Of Lockpickers, U.S.” It was quite a shock. I was thrown in the deep end, just 24 hours after discovering how a lock works.

During the following weeks and months, I learned a lot, I worked hard and started competing. There were people who helped me along and I was lucky to be able to bounce ideas off of some of the best mentors in the world. Now, less than two years later, NDE Magazine is up and running in stable condition. It has found itself planted firmly in the middle of some incredibly talented people, ready to introduce them to one another and tell their stories.

I could not be happier.

I mention all of this because it is absurd to me that one morning in April, I found myself in the kitchen of a sailor in the U.S. Navy, who had worked tirelessly for months to develop a tool to aid in the picking of Medeco locks. Sitting across from us, quiet, curious and unassuming, was the head of Medeco research and development. Which begs the question: “Why was I there?”

The Prodigal Son

At the 2007 Dutch Open, Peter Field, the man from Medeco, was slated to give a four hour talk on lock engineering. It ran for over five. As compelling and comprehensive as the presentation was (and as entertaining as the Frenchman sitting beside me was, whispering as each slide came up: “Ah yes, this lock, let me tell you how we defeat this lock…”) what stood out most to me were his opening words:

“Let me just say, in case no one else has, welcome to the industry.”

To a room full of lockpickers, he says “Welcome.” That is not the reception those of us on this side of the Atlantic are used to. To be clear, in both our private and public lives we have been called criminals, miscreants, thieves and far worse.

To quote the Schlage lock company from an article in the Wall Street Journal “…the company would prefer if the hobbyists ‘acted more like a magic society, where the trade secrets stay in the room.’” The trouble with that statement is that a magician, as amazing as his tricks may be, has never figured out how to enter your home in the middle of the night undetected. It’s a different kind of knowledge we’ve gathered and their response was flippant. So, here is a room full of people, many of whom are used to being insulted, hushed and disregarded, told that they were “Welcome” by a representative of a major American lock manufacturer

Some who have heard this story secondhand can’t get over one thing, though: there have been problems with Medeco locks for years. So, now that we’re discovering these issues independently, why wait? Why give them time to respond when perhaps this flaw shouldn’t exist in the first place? To these questions, I answer: “Because they are the Prodigal Son.” They have reached out their hand to our community and agreed to treat us with respect, listen to what we’ve learned, and fix the problems we have uncovered. Whatever your feelings are in regard to their past, I hope you can welcome them as Peter welcomed us.

After Peter’s talk I cornered him and thanked him for coming out. I gave him a lock I had brought with me because it sounded like he might not have one in his collection. I wonder now if he wasn’t just being polite when he accepted it on those grounds. It wasn’t a long conversation, but it was mutually friendly and the connection was made.

Responsible Disclosure

At a small conference in Arizona last year, I gave a talk titled “Responsible Disclosure in Physical Security.” Not many people showed up. My friends offered an answer: “Sounds … exciting.” A line delivered with a sarcastic roll of the eyes. It does sound pretty dull, I can’t deny that. However, those few who attended seemed intrigued by how our community was learning to deal with exposing the flaws we discovered. The talk centered around Jaakko Fagerlund’s ABUS Plus decoding method. It walked through the initial discovery, building the first tool, refining and simplifying the tool, and it talked briefly about how he tried to get in touch with the manufacturer (All of this is discussed in length on page 19, but don’t skip ahead just yet).

That’s the rub, though, isn’t it? How are random, geographically disparate, independent lockpickers supposed to develop the sort of contacts so that they can make a phone call and get ABUS to have lunch with them? As it turns out, via Lockpicking101.com. The disparate lockpicker becomes part of a distributed network of hobbyists, all with their own backgrounds, friends, and occasionally industry contacts. That’s how it worked in Jaakko’s case and that’s how it worked for Jon King, the sailor who put me up for a night in April.

Jon, and my staff at NDE Magazine, have been prepared to publish his story for more than two months. Doug Farre took the helm during Issue 2 and I was largely uninvolved with that issue, until this story crossed my desk. When I made the decision to hold the article, and push back the print date of Issue 2 as a whole, it led to a lot of debate. At issue was whether or not Medeco should be given the opportunity to see the article before it was released. There was a lot of concern that they would somehow try to squelch it. As well as concerns that they could intimidate Jon, or buy him off, or any number of troubling scenarios. Despite this, both my web designer (John Naughton) and myself had met Peter that weekend in Holland and agreed that we could trust him.

More important though, was that he deserved to be let in, because he had let us in first. Most important? There was a chance, slim as we all worried it was, that Medeco might take Jon’s work seriously, and potentially even roll out a solution prior to NDE hitting the virtual newsstands.

It may seem anticlimactic to those outside this community, but there is no more exciting headline than “Our exploit is no longer effective!” We defeat, only to be defeated. There is no one I know, who is serious about the research side of this hobby, who doesn’t get a thrill thinking about how the manufacturer can repair their lock designs. I would rather wait a few months, work with the manufacturer, and release a story about a new attack and how they fixed the problem so the attack no longer works, before any word of it ever hits the open air.

It’s a subject I’ve spent a lot of time thinking about and discussing with some folks in a field which often overlaps: computer hacking. They have established their means of disclosure and some people think it translates perfectly. Let me lay out the simple differences we have to keep in mind:

Digital security protects your personal information. Physical security protects your person.

The stakes are too high to release without a plan, without trying to get the issue resolved before it goes out the door. Additionally, software manufacturers can fix their broken software by sending a patch directly to your computer. Lock manufactures don’t have that luxury. The best they can do is to get the appropriate fix into the hands of locksmiths so they can provide it to their customers. This takes time, and if the manufacturer isn’t on board when you release your exploit? It’s time that could cost businesses their stock, pay phones their quarters, or families their safety.

We have an ethical duty to take all of this into consideration when we first make a discovery. Happily, the hardest part, being heard, is beginning to get easier. Use each other as a resource to get in touch. Use LP101, use other lockpicking forums and chat rooms, use NDE Magazine, use anyone at your disposal. It is possible that it will fall on deaf ears, but the tide is turning in that regard. From a table in a sailor’s kitchen one morning I was proud to witness a clear example of the success of a lockpicker having his exploit considered – and solved.

Schuyler Towne

Executive Editor, NDE Magazine