Locksmiths vs Hackers

Over the past few years there has been an emerging culture of 'locksport' enthusiast. The stereotype that has come out of that is the 'hacker who picks locks better than a locksmith'. There have been a number of articles on this movement in popular internet webzines. One that recently caught my eye was This one: Locksmiths Hate Geeks.

As most rumors do, this has a grain of truth to it. Because of the internet, the fundamentals of lockpicking are more readily available to the general public and people who or interested in subversive topics are likely to be attracted to both 'hacking' and 'lockpicking'. Combine the element of some High IQ filters and add 'competition' to the mix, you end up with a quite interesting group of people who are very proficient at picking (and impressioning too).

Personally, I find the whole topic pretty silly. Being a locksmith has far more to do with being ready to help a customer at a fair price anytime day or night than it has to do with lockpicking. Newsflash to the geeks, comparing locksport to locksmithing is like comparing running fast to playing professional football. Most of you will outgrow the interest. Newsflash to the locksmiths: Hire these geeks, they will probably make good locksmiths.

Geeks usually meet many of the requirements of being a good locksmith: curious, technical in nature, don't want to work in a repetitive mindless job, they like challenges, like learning new things, don't have huge aspirations of owning the corporate world and they are good with numbers and computers.

To be clear, 'hacking' for criminal purposes is against the law and those people should be prosecuted. 'Hacking type' refers to someone with knowledge and skills of finding work arounds for electronic security, they have professional people who work for companies to identify problems in systems and software and serve a valuable purpose like the gentleman described below.

Barry Wels is one of the legends in the 'underground' of lock bypass. I've personally met Barry and exchanged information with him while working on training for a Spanish company we were assisting to get into business. He had some invaluable information on European locks and I shared some feedback on some of the other species of locks that I was encountering down there.

Barry is probably the Diety...or at least a Demi-God of the underground 'locksport' community. I have personally heard people demonize him, particularly for releasing information about 'bump keys' to the public.

The root of the argument is over 'Disclosure'. Disclosure refers to the idea of 'blabbing' about a security flaws when you find them. This is the real division between the geeks and the locksmiths, not 'lockpick envy' as the article above might suggest. The geeks seem to represent Disclosure and locksmiths don't want the information in the wrong hands.

I personally am torn on 'Disclosure', I see validity in both points of view. I don't want anybody disclosing my Pin number on the internet. Yet if Barry and his gang figure out that someone can hack into my bank account or my phone...I want them to identify the problem and make the people responsible for it to FIX IT. The fact is that most companies such as software devs, internet devs and lock companies are often slow to react to 'limited disclosure' efforts. Releasing security flaws to the 'public domain' often causes immediate reactions to fix the problem.

But there is a point when it goes too far. If I found out Barry was coaching individuals who were committing crimes, he should be held accountable. That is the big grey area: If the little teenage girl that is often show bumping open Medeco(r) locks goes out and commits a crime by bumping open some jewelry store lock...is the person who taught her those skills a co-conspirator and going to get in trouble. You would think 'uh, Maybe' but consider: Would a rifle range instructor from the Marine Corps be held responsible for President Kennedy's death?

Even within the 'underground' the term 'responsible disclosure' has begun to circulate more, I don't know if that has been motivated by the hovering possibility of litigation by some manufacturer or if that whole side of the camp is maturing with age, either way it is good to hear that some discretion is gaining popularity.

Back to Barry, Barry is a Genius (yes with a capitol G). Barry has been mischaracterized as a 'hacker' when in fact his real life's work is quite the opposite, he works on real security. His lockpicking and bypass seems to be more of a fascination and passion. Barry also happens to be a world class impressionist.

Barry works for Cryptophone, which their website describes as: GSMK CryptoPhones are the first and only fully trustworthy solution for completely confidential mobile phone calls. That is a pretty big claim, especially for someone who's life is centered around dispelling very similar claims.

To me the most interesting thing about the whole issue is that in his work, Barry embraces the very sword that he swings at various locking devices, they release their source code for review by peers...they dare people (and probably welcome people to try) to 'hack' it. "Here is our claim: It is secure. Here is our data: See if knowing HOW we secure it helps you hack it." No security through obscurity with that. However, I'm sure there are those who would savor a bit of the irony if the technology that secures their secure phone could be hacked and shown on the internet.

Consider this ethical dillema:

I wonder what would happen if Barry himself, discovered a flaw, even post production, of their phone that would trigger a massive recall if 'full disclosure' were made. If only he knew about it, would he 'out' his own product. Any non-disclosure documents/contracts aside...I bet he probably would.

For all the negative comments I've heard about 'those hackers' giving away all the lock secrets, I have to say that the idea of 'disclosure' reeks of integrity. They really have an open architecture approach that can serve a purpose.

The ugly truth is that nothing is truly secure, there will always be a 'bypass' or workaround to some measure. "Social Engineering" will always be a hole for sure.

Yet, the bell is rung, you have to hide things in plain sight it seems. It is true people need better locks on their doors. I personally think that some people in the 'disclosure community' are not really interested in 'helping humanity' by forcing people/manufacturers to improve their security. I think they have found a drum that they can beat and get a bit of attention. But that is their business and it is not for me to judge if it is right or wrong lest judge their motives.

However, I suspect that one of the 'disclosure guys' will one day utter the magic words, "...but if you pay me $$$, no one has to know about the problem." At that point the 'integrity' part is gone and they will join that 'long grey line', it turns into blackmail. I'm sure someone will try it one day, the opportunity is just too obvious for someone NOT to do it.

Security comes down to common sense and budget. Do you want a house that is secure against typical attacks or do want a house that Barry Wels couldn't get into. If you want the latter, you should probably contract Barry to build it for you...it might take 20 years and cost a billion dollars but he could probably do it.



The only Nationwide Trusted Locksmith



A good quality lock that resist 'real world' attacks such as kicking and prying is the Ultimate Lock. It can be fitted with most types of cylinders, the security of the Ultimate lock is not in the keyhole, it's in the construction of the dual locking bolt arrangement and the physics of kick resistance. Check it out at www.theultimatelock.com I have personally installed these devices and have tested them to my satisfaction. We have one on our own training center door.