[ISN] The joys of picking locks, the secret world of bumping

From: InfoSec News (alerts@private)
Date: Mon Nov 06 2006 - 22:49:14 PST


http://www.naplesnews.com/news/2006/nov/06/joys_picking_locks_secret_world_bumping/

By Sara Schaefer Munoz 
The Wall Street Journal
November 6, 2006

NEWINGTON, CONN.  On a recent evening in this quiet suburb, Matthew 
Fiddler hunched over a door lock, jiggling it with a pick and poking it 
with a wrench. In just a few moments, it popped open.

Fiddler wasn't locked out and he isn't a thief. Instead, the 36-year-old 
father of four, clad in khakis and a blue button-down shirt, was seated 
around a table with a handful of people who pick locks for fun.

The group, a chapter of Locksport International, gets together monthly 
to poke and prod everything from padlocks to dead-bolt cylinders. They 
swap tips, hold contests and eat pizza.

Most say they do it for the challenge. "It's like doing a Rubik's Cube 
in the dark," says Josh Nekrep, a construction sales representative and 
Locksport's administrative director. And for Nekrep and others, it 
carries a broader mission: finding and exposing the vulnerabilities in 
common locks so people can better protect themselves.

"The public has a right to know if some $30 lock they bought is not 
secure," says Fiddler, the Connecticut chapter president, who, like many 
in his group, works in computer security.

That philosophy has riled lock manufacturers and law-enforcement 
officials, who believe disseminating information about lock weaknesses 
can only encourage illicit activity. It has also split the locksmith 
community, putting them at odds about whether picking techniques should 
be disclosed.

Fueling their concern: the spread of Internet videos that show how to 
pick many types of locks.

Pin tumbler locks, commonly used on doors, mailboxes or padlocks, are 
opened with a key when their spring-loaded pins are pushed into the 
right alignment. To open them without a key, hobbyists often use a 
slender pick to maneuver the pins, while at the same time sticking a 
tension wrench in the keyhole to apply turning pressure.

Another popular method is "bumping," which involves inserting a 
specially filed key blank into a lock and hitting or "bumping"  it.

Key blanks, made by lock manufacturers and used for making duplicate 
keys, are widely available for most common locks online or in hardware 
stores. The force of hitting the key makes the pins jump in such a way 
that for a split second the lock can be opened.

Google co-founder Sergey Brin says he became interested in lock picking 
as a graduate student and years ago picked the lock of Google's offices 
when he didn't have a key. He told reporters attending a Google 
conference earlier this month that he recently learned the "bumping" 
technique by watching a video available through Google's site.

"I was curious," he said. "You want to see a person just do it."

Law-enforcement officials fear that any tactic that exposes 
lock-breaching can put information into the wrong hands.

"They are exposing vulnerabilities to everybody, and everybody includes 
criminals," says Jim Pasco, the executive director of the National 
Fraternal Order of Police. "I am absolutely mystified at what they 
perceive to be ethical about that."

Organized groups of lock-picking hobbyists have operated in Europe for 
years, and have recently been increasing in North America. Locksport 
International started last year and has 100 members in six chapters in 
the U.S. and Canada. The Netherlands-based Open Organisation of 
Lockpickers (TOOOL) formally launched a U.S. group in August and so far 
has 40 members.

The hobby is also becoming popular on college campuses: students at the 
University of Texas in Austin recently launched a picking group.

Even as the hobby's popularity has grown, members acknowledge it still 
faces an image problem.

"Picking locks is so often viewed by the layperson as a nefarious act," 
says a statement posted on Locksport's Web site. It says the group wants 
"to promote the hobby/sport of lock-picking in an ethical manner." 
Members say they take problems to manufacturers first and then go public 
if the companies don't respond.

At the recent meeting in Newington, about 10 men, with ages in their 20s 
to 60s, sat around a brightly lit table, bending over different types of 
locks and brandishing picks and wrenches. During breaks in the chatter, 
all that could be heard was tapping and clicking.

"I'm interested in how locks work," says Jack Craib, a 63-year-old 
retired bookbinder.

"When you are picking a lock and it clicks open, it seems like something 
magical has happened," says Eric Schmiedl, a college student on the 
TOOOL board of directors.

Police and lock manufacturers say they get worried when pickers swap 
tips on the message boards of lockpicking101.com, a Web site for 
lock-picking enthusiasts, and post how-to demonstration videos on the 
popular video-sharing site YouTube.com.

After several videos circulated this summer showed how the "bumping" 
method could be used to open locks, the Dallas-based Associated 
Locksmiths of America, a trade group, fired off a statement calling the 
information "a misguided attempt at consumer awareness" that could 
"stimulate the interest of would-be burglars."

Paul Dickard, a spokesman for lock manufacturer Schlage, said the 
company would prefer if the hobbyists "acted more like a magic society, 
where the trade secrets stay in the room."

Still, at least one lock maker says the hobbyists can help companies. 
Walt Strader, vice president of research and development for Black & 
Decker, which makes Kwikset, Weiser and Baldwin locks, says the company 
recently became aware of the "bumping" method from information 
disseminated by the groups.

While the company doesn't agree with the groups' publicity tactics, he 
said it is "taking the issue seriously" by re-evaluating its products 
and considering a warning on the packaging. The company is also working 
with the industry to call for a ban on the Internet sale of bump keys, 
he says.

Nekrep says the group makes a concerted effort to keep out anyone with 
shadowy motives. He says all new members must be endorsed by two 
existing members and everyone must abide by a code of ethics, which 
includes the promise to pick only locks that they own or have been given 
express permission to pick.

Fiddler says he can spot undesirables right away. He has turned away 
several people because they were asking "how to break into things, 
rather than demonstrating a real interest in how things work."
 

_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Mon Nov 06 2006 - 22:57:48 PST