http://www.naplesnews.com/news/2006/nov/06/joys_picking_locks_secret_world_bumping/ By Sara Schaefer Munoz The Wall Street Journal November 6, 2006 NEWINGTON, CONN. On a recent evening in this quiet suburb, Matthew Fiddler hunched over a door lock, jiggling it with a pick and poking it with a wrench. In just a few moments, it popped open. Fiddler wasn't locked out and he isn't a thief. Instead, the 36-year-old father of four, clad in khakis and a blue button-down shirt, was seated around a table with a handful of people who pick locks for fun. The group, a chapter of Locksport International, gets together monthly to poke and prod everything from padlocks to dead-bolt cylinders. They swap tips, hold contests and eat pizza. Most say they do it for the challenge. "It's like doing a Rubik's Cube in the dark," says Josh Nekrep, a construction sales representative and Locksport's administrative director. And for Nekrep and others, it carries a broader mission: finding and exposing the vulnerabilities in common locks so people can better protect themselves. "The public has a right to know if some $30 lock they bought is not secure," says Fiddler, the Connecticut chapter president, who, like many in his group, works in computer security. That philosophy has riled lock manufacturers and law-enforcement officials, who believe disseminating information about lock weaknesses can only encourage illicit activity. It has also split the locksmith community, putting them at odds about whether picking techniques should be disclosed. Fueling their concern: the spread of Internet videos that show how to pick many types of locks. Pin tumbler locks, commonly used on doors, mailboxes or padlocks, are opened with a key when their spring-loaded pins are pushed into the right alignment. To open them without a key, hobbyists often use a slender pick to maneuver the pins, while at the same time sticking a tension wrench in the keyhole to apply turning pressure. Another popular method is "bumping," which involves inserting a specially filed key blank into a lock and hitting or "bumping" it. Key blanks, made by lock manufacturers and used for making duplicate keys, are widely available for most common locks online or in hardware stores. The force of hitting the key makes the pins jump in such a way that for a split second the lock can be opened. Google co-founder Sergey Brin says he became interested in lock picking as a graduate student and years ago picked the lock of Google's offices when he didn't have a key. He told reporters attending a Google conference earlier this month that he recently learned the "bumping" technique by watching a video available through Google's site. "I was curious," he said. "You want to see a person just do it." Law-enforcement officials fear that any tactic that exposes lock-breaching can put information into the wrong hands. "They are exposing vulnerabilities to everybody, and everybody includes criminals," says Jim Pasco, the executive director of the National Fraternal Order of Police. "I am absolutely mystified at what they perceive to be ethical about that." Organized groups of lock-picking hobbyists have operated in Europe for years, and have recently been increasing in North America. Locksport International started last year and has 100 members in six chapters in the U.S. and Canada. The Netherlands-based Open Organisation of Lockpickers (TOOOL) formally launched a U.S. group in August and so far has 40 members. The hobby is also becoming popular on college campuses: students at the University of Texas in Austin recently launched a picking group. Even as the hobby's popularity has grown, members acknowledge it still faces an image problem. "Picking locks is so often viewed by the layperson as a nefarious act," says a statement posted on Locksport's Web site. It says the group wants "to promote the hobby/sport of lock-picking in an ethical manner." Members say they take problems to manufacturers first and then go public if the companies don't respond. At the recent meeting in Newington, about 10 men, with ages in their 20s to 60s, sat around a brightly lit table, bending over different types of locks and brandishing picks and wrenches. During breaks in the chatter, all that could be heard was tapping and clicking. "I'm interested in how locks work," says Jack Craib, a 63-year-old retired bookbinder. "When you are picking a lock and it clicks open, it seems like something magical has happened," says Eric Schmiedl, a college student on the TOOOL board of directors. Police and lock manufacturers say they get worried when pickers swap tips on the message boards of lockpicking101.com, a Web site for lock-picking enthusiasts, and post how-to demonstration videos on the popular video-sharing site YouTube.com. After several videos circulated this summer showed how the "bumping" method could be used to open locks, the Dallas-based Associated Locksmiths of America, a trade group, fired off a statement calling the information "a misguided attempt at consumer awareness" that could "stimulate the interest of would-be burglars." Paul Dickard, a spokesman for lock manufacturer Schlage, said the company would prefer if the hobbyists "acted more like a magic society, where the trade secrets stay in the room." Still, at least one lock maker says the hobbyists can help companies. Walt Strader, vice president of research and development for Black & Decker, which makes Kwikset, Weiser and Baldwin locks, says the company recently became aware of the "bumping" method from information disseminated by the groups. While the company doesn't agree with the groups' publicity tactics, he said it is "taking the issue seriously" by re-evaluating its products and considering a warning on the packaging. The company is also working with the industry to call for a ban on the Internet sale of bump keys, he says. Nekrep says the group makes a concerted effort to keep out anyone with shadowy motives. He says all new members must be endorsed by two existing members and everyone must abide by a code of ethics, which includes the promise to pick only locks that they own or have been given express permission to pick. Fiddler says he can spot undesirables right away. He has turned away several people because they were asking "how to break into things, rather than demonstrating a real interest in how things work." _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Nov 06 2006 - 22:57:48 PST