The Rain Man of Lock-Picking

Recently, in his Schneier on Security blog, Bruce Schneier mentioned an article in Wired, about a gentleman named Marc Tobias, who has made something of a name for himself as an expert on locks and how they can be defeated.   I’ve said before that to be a really good security person, you have to be able to think in a certain way: the way the Bad Guys think.  It’s an ability Mr. Tobias appears to have in spades:

Thinking like a criminal is Tobias’ idea of fun. It makes him laugh. It has also made him money and earned him a reputation as something of the Rain Man of lock-breaking. Even if you’ve never heard of Tobias, you may know his work: He’s the guy who figured out how to steal your bike, unlock your front door, crack your gun lock, blow up your airplane, and hijack your mail. …

Lock-breaking is equal parts art and science. So is the ability to royally piss people off. Tobias is a veritable da Vinci at both endeavors.

The article talks about how Tobias got his start at around age 15, when he discovered how me could make a telephone call at a pay phone (remember them?) for a penny rather than for a dime:

Tobias was fascinated, then disappointed; once you saw how the machine worked, it was obvious, stupid even. All you had to do was hit the coin return thingy at the right moment, launch a penny into the nickel slot, and the circuit connected. Stupid.

And the stupidest thing of all was that the phone company counted on customers being more stupid than their stupid machine. To a 15-year-old troublemaker, this was either an insult or a challenge. Tobias decided it was both and decided to take it personally.

Tobias went on to study law, and to become a licensed private investigator, who specialized in security in general, and locks and safes in particular.  Once again, there is a suggestion that it takes a certain type of person to be good at this:

Since Tobias had his sights set on being a professional pain in the ass, law school was a natural choice. So was a private investigator’s license. And a polygraph license. And invitations to help sheriff’s department investigations. Soon Tobias was trapping racketeers through wiretaps and rigging hidden cameras in hospitals and churches to catch junkie night nurses and pedophile Catholic priests.

The article goes on to describe how Tobias has worked with law-enforcement agencies on a vaeriety of projects, and how he has also pulled off a number of stunts to demonstrate the vulnerabiliity of many commercial security systems.

The most interesting part, I think, is the account of his experience with Medeco locks.  Those of you who, like me, have lived in New York or another big city may be familiar with them: they are sold on the basis of being pick-resistant, and in general more secure, than ordinary locks.  For this reason, they are quite popular with urban apartment dwellers.  They are also popular with government agencies and other security-conscious operations:

For four decades, Medeco systems have defined high security (a technical designation indicating resistance against covert-entry attack for 10 to 15 minutes, depending on which of two laboratory standards is used). While Medeco locks are obviously not the only barrier between an evildoer and, say, US nuclear codes, they are some of the best locks ever made—and over the years, they have secured most everything worth protecting: storefronts and corporate offices, even the Department of Defense, courthouses, UN buildings, and military and munitions facilities worldwide.

Initially, the Medeco company had a friendly attitude toward Tobias, since some of the puiblicity he generated about a remarkably unsophisticated yet very successful lock-picking techinique called bumping produced an increase in sales of their high-security products.  But Tobias, true to his personality, didn’t stop there.  He, and an associate, Tobias Bluzmanis, devised a method of picking the company’s newest high security lock, the Medeco³, in the space of about one minute.  The company was Not Amused, and basically cut off all communications with Tobias.

The rest of the Medeco story is an interesting tale of how inept companies can be at handling bad news, and it’s amusing to  read.  However, the point I’d like to make here is that this is another example of why openess, as in Open Source, is really close to a necessity.  It may be true that Marc Tobias is an educated enough consumer to choose the best possible lock for whatever application he has in mind — but are you?  I know a bit about locks, and have even picked a few (not for any nefarious purpose, I hasten to add), but I learned some things I didn’t know from this article.

Incidentally, if you are interested in the subject, there is an excellent summary paper [PDF], “Ten Things Everyone Should Know about Lockpicking and Physical Security”, that was presented at a Black Hat security conference; a tip of the hat to Bruce Schneier for the link.

Formulas for Disaster, Part 4

Back on June 4, I wrote the post, “Formulas for Disaster, Part 3“, in which I described the structuring and valuation of a barrier option deal that very nearly went badly wrong.  As I wrote then:

I have seen, first hand, situations where otherwise well-qualified, intelligent, sensible people have temporarily, in essence, lost their minds.  The combination of rushed time scales and knowledge of how one would like the results of an analysis to come out can definitely impair one’s judgement.

I was reminded of this again today, when I re-read an article by a professional friend, Charles Ellis, PhD, CFA, called The Loser’s Game [PDF here].  This article, which originally appeared in the summer of 1975 in the Financial Analysts Journal, talked about the disappointing investment performance of professional fund managers, most of whom delivered results that were worse than would have been achieved with a totally passive invesment strategy (such as an index fund).  At the time the article appeared, investment performance was a “hot topic”; Congress had passed the Employee Retirement Income Security Act [ERISA] in 1974, which among other things stipulated new requirements for reporting pension plan results to the plan beneficiaries, and established a statutory duty of the plan trustees to act only for the best interest of the plan beneficiaries.

Ellis argues that the under-performance that was observed was to be expected:

The investment management business is built upon a simple and basic belief: Professional money managers can beat the market.  That premise appears to be false.

He then goes on to explain why he believes that this basic assumption is false.  A significant part of the explanation is alluded to in the article’s title: Ellis says that professional money management had become what he terms a “Loser’s Game”.   He illustrates the idea by comparing the game of tennis, as it is played by professionals, which is a Winner’s Game, with tennis as played by the rest of us, which is a Loser’s Game.  In the professional game, there are often long volleys, with a point won when one player makes a particularly skillful shot.  Professionals also sometimes win points by service aces.  In contrast, amateur tennis is characterized by service faults, balls hit out of bounds or into the net, and other miscues.  In other words, a professional match is won by the player who wins the most points; an amateur match is won by the player who loses the fewest.  He also quotes the naval historian, Admiral Samuel Eliot Morrison, on the ultimate Loser’s Game:

Other things being equal, the side that makes the fewest strategic errors wins the war.

He then explores some of the reasons that this applies to investment management.  The most important of these reasons is that, by the mid-1970s, the market had come to be dominated by professional money managers.  In the previous ten years, the professionals’ share of all stock market transactions had gone from 30 percent to 70 percent.  As Ellis says,

The trouble with Winner’s Games is that they tend to self-destruct because they attract too much attention and too many players — all of whom want to win.

As the professionals, to an increasingly large extent, comprise the market, their ability to outperform it is correspondingly diminished.  (It is an obvious arithmetic truism that the market as a whole cannot outperform itself.)

As I mentioned in my earlier post, there have been arguments advanced that blame the current crisis on people that were either entirely venal or drastically stupid — but I think that is too facile an explanation.  Ellis makes an observation that seems to me quite prescient in today’s context:

Psychologists advise us that the more important the old concept of reality is to a person – the more important it is to his sense of self-esteem and sense of inner worth – the more tenaciously he will hold on to the old concept; and the more insistently he will assimilate, ignore, or reject new evidence that conflicts with his old and familiar concept of the world.  This behavior is particularly common among very bright people, because they can so easily develop and articulate self-persuasive logic to justify the conclusions they want to keep.

In addition to the advent of new exotic securities, such as credit default swaps, and greater globalization of finance, one trend that has characterized the last 20 years or so is the growth of what is usually called proprietary trading; that is, trading done by a financial institution for its own account, rather than on behalf of customers.  I observed some of this development, and know that some of the early adopters of this approach did very well financially.  (I can remember one strategy for hedge trading of utility stocks that was almost embarrassingly simple.)   Many large investment banks derived a very significant proportion of their total profits from proprietary trading activities.

Imitation being the sincerest form of flattery, almost every investment bank, and many other financial institutions, piled into the proprietary trading game.  The repeal of the Glass-Steagall Act provisions separating commercial from investment banking, in 1999, let even more firms in on the fun.  So the competition was steadily becoming more intense; yet the people in the game (who, after all, regarded themselves, not without reason, as Winners) knew that they could always succeed by being smart and working hard.  This in turn motivated them to try new things, like ever-more exotic transactions.

The case of AIG is instructive.  A few decades ago, it was a very well regarded re-insurance company, and viewed as very solid financially.  But, like many others, it saw running an internal hedge fund (which is essentially what proprietary trading is) as easy money, and set up the AIG Financial Products subsidiary.  The rest, as they say, is history.

Of course, it is harder to be sure exactly what happened in all the confusion surrounding the recent troubles on Wall Street than it was in the investment management case, since the results are not as public.   But I have a sneaking suspicion that we are seeing the results of something very much like what Charley Ellis identified almost 35 years ago in the investment management business: more and more smart people were chasing a smaller and smaller set of potential rewards, until they got to the point where, as Pogo once said, “We have met the enemy, and he is us.”

The investment management business (it should be a profession but is not) is built upon a

simple and basic belief: Professional money managers can beat the market. That premise appears to