Recently, in his Schneier on Security blog, Bruce Schneier mentioned an article in Wired, about a gentleman named Marc Tobias, who has made something of a name for himself as an expert on locks and how they can be defeated. I’ve said before that to be a really good security person, you have to be able to think in a certain way: the way the Bad Guys think. It’s an ability Mr. Tobias appears to have in spades:
Thinking like a criminal is Tobias’ idea of fun. It makes him laugh. It has also made him money and earned him a reputation as something of the Rain Man of lock-breaking. Even if you’ve never heard of Tobias, you may know his work: He’s the guy who figured out how to steal your bike, unlock your front door, crack your gun lock, blow up your airplane, and hijack your mail. …
Lock-breaking is equal parts art and science. So is the ability to royally piss people off. Tobias is a veritable da Vinci at both endeavors.
The article talks about how Tobias got his start at around age 15, when he discovered how me could make a telephone call at a pay phone (remember them?) for a penny rather than for a dime:
Tobias was fascinated, then disappointed; once you saw how the machine worked, it was obvious, stupid even. All you had to do was hit the coin return thingy at the right moment, launch a penny into the nickel slot, and the circuit connected. Stupid.
And the stupidest thing of all was that the phone company counted on customers being more stupid than their stupid machine. To a 15-year-old troublemaker, this was either an insult or a challenge. Tobias decided it was both and decided to take it personally.
Tobias went on to study law, and to become a licensed private investigator, who specialized in security in general, and locks and safes in particular. Once again, there is a suggestion that it takes a certain type of person to be good at this:
Since Tobias had his sights set on being a professional pain in the ass, law school was a natural choice. So was a private investigator’s license. And a polygraph license. And invitations to help sheriff’s department investigations. Soon Tobias was trapping racketeers through wiretaps and rigging hidden cameras in hospitals and churches to catch junkie night nurses and pedophile Catholic priests.
The article goes on to describe how Tobias has worked with law-enforcement agencies on a vaeriety of projects, and how he has also pulled off a number of stunts to demonstrate the vulnerabiliity of many commercial security systems.
The most interesting part, I think, is the account of his experience with Medeco locks. Those of you who, like me, have lived in New York or another big city may be familiar with them: they are sold on the basis of being pick-resistant, and in general more secure, than ordinary locks. For this reason, they are quite popular with urban apartment dwellers. They are also popular with government agencies and other security-conscious operations:
For four decades, Medeco systems have defined high security (a technical designation indicating resistance against covert-entry attack for 10 to 15 minutes, depending on which of two laboratory standards is used). While Medeco locks are obviously not the only barrier between an evildoer and, say, US nuclear codes, they are some of the best locks ever made—and over the years, they have secured most everything worth protecting: storefronts and corporate offices, even the Department of Defense, courthouses, UN buildings, and military and munitions facilities worldwide.
Initially, the Medeco company had a friendly attitude toward Tobias, since some of the puiblicity he generated about a remarkably unsophisticated yet very successful lock-picking techinique called bumping produced an increase in sales of their high-security products. But Tobias, true to his personality, didn’t stop there. He, and an associate, Tobias Bluzmanis, devised a method of picking the company’s newest high security lock, the Medeco3, in the space of about one minute. The company was Not Amused, and basically cut off all communications with Tobias.
The rest of the Medeco story is an interesting tale of how inept companies can be at handling bad news, and it’s amusing to read. However, the point I’d like to make here is that this is another example of why openess, as in Open Source, is really close to a necessity. It may be true that Marc Tobias is an educated enough consumer to choose the best possible lock for whatever application he has in mind — but are you? I know a bit about locks, and have even picked a few (not for any nefarious purpose, I hasten to add), but I learned some things I didn’t know from this article.
Incidentally, if you are interested in the subject, there is an excellent summary paper [PDF], “Ten Things Everyone Should Know about Lockpicking and Physical Security”, that was presented at a Black Hat security conference; a tip of the hat to Bruce Schneier for the link.