Unexpectedly, my paper got some press attention. @jswatz_tx@threads.net found it and wrote a short piece in the NY Times.
And then locksmiths freaked out. I mean completely lost it. They were very upset, not so much that a very common lock design had a basic security flaw, but that an "outsider" found it and had the poor moral character to make it public.
I started getting weird death threats. They doxed me ("let's see what kind of lock the bastard has on HIS house")
2/
A trade publication called The National Locksmith ran monthly guest editorials in which prominent members of that profession were invited to denounce me. My favorite quote, from a locksmith named Billy Edwards, who had written a book on master keying, and who took my paper rather personally.
3/
@mattblaze@federate.social oh, those sweet sweet innocent souls, no clue how deeply fucked up the world they live in really is π
I should point out that master keying was about a century old at the time, and while the mechanical details weren't secret, locksmiths tended to regard the inner workings of locks as "restricted knowledge", rather like a medieval trade guild. I didn't understand this.
What took me by surprise was how different the physical security wold's attitude was compared with that of my community, where the ethics of discussion of vulnerabilities has long been essentially settled in favor of openness.
4/
Essentially, their argument was that this would be a huge pain and expense to fix, and so we are all better off just keeping it on the down low. And that kind of worked, for about a hundred years, until more open communities - like computer security research - started looking seriously at locks (as both metaphors and as interesting mechanisms in their own right).
I see their point, even if I personally reject it. But in the age of the Internet, you just can't keep this kind of stuff secret.
5/
Essentially, their argument was that this would be a huge pain and expense to fix, and so we are all better off just keeping it on the down low. And that kind of worked, for about a hundred years, until more open communities - like computer security research - started looking seriously at locks (as both metaphors and as interesting mechanisms in their own right).
I see their point, even if I personally reject it. But in the age of the Internet, you just can't keep this kind of stuff secret.
5/
@mattblaze@federate.social as a woman who has lived alone I don't know that I'd buy it worked... Every problematic guy with a locksmith friend or some skills himself was probably terrorizing some ex girlfriend or ex wife, and we just never heard about it .
Anyway, my intent in looking at locks and publishing my paper wasn't to disrupt the lock industry. I believed, as I still do, that mechanical locks and physical security have quite a bit to teach computing, but also that the abstract techniques of cryptography and computer security can illuminate weaknesses that are hard to see when looking at systems in strictly mechanical terms.
My attack is intuitive and obvious to cryptographers, but rather subtle without our field's tools.
6/
@mattblaze@federate.social I had a similar experience in an unrelated area (except, of course, that it was @jswatz@journa.host who also wrote it up). After downloading district court records, we discovered a large number of bugs: disclosure of names of minor children, of confidential informants, of medical records, and tons of SSNs and other IDs. The courts went ballistic, they were convinced that the PACER paywall was protecting privacy and by disclosing the bug, I had blown their cover.
I never did reach a truce with the locksmiths. A couple years later, I met Billy Edwards, the author of that editorial denouncing me, at a trade show, and when he learned who I was he refused to shake my hand and asked me to leave him alone.
I wish he had seen things differently, but I can respect that he was coming from a place of genuine concern, even if I think his approach was wrong.
To this day, I worry that I'm pretty screwed if I get locked out of my house.
7/7
NB: While I never intended to piss off locksmiths with my master keying paper, I did write a followup a couple years later about safes and safecracking, partly out of spite.
https://www.mattblaze.org/papers/safelocks.pdf
TL;dr: We can learn a lot from safes and safe locks, and the frameworks of cryptography and computer security are applicable there, too. The fact that our learning about this subject makes people in that industry upset is just a bonus.
@mattblaze@federate.social I had a similar experience in an unrelated area (except, of course, that it was @jswatz@journa.host who also wrote it up). After downloading district court records, we discovered a large number of bugs: disclosure of names of minor children, of confidential informants, of medical records, and tons of SSNs and other IDs. The courts went ballistic, they were convinced that the PACER paywall was protecting privacy and by disclosing the bug, I had blown their cover.
I never did reach a truce with the locksmiths. A couple years later, I met Billy Edwards, the author of that editorial denouncing me, at a trade show, and when he learned who I was he refused to shake my hand and asked me to leave him alone.
I wish he had seen things differently, but I can respect that he was coming from a place of genuine concern, even if I think his approach was wrong.
To this day, I worry that I'm pretty screwed if I get locked out of my house.
7/7
NB: While I never intended to piss off locksmiths with my master keying paper, I did write a followup a couple years later about safes and safecracking, partly out of spite.
https://www.mattblaze.org/papers/safelocks.pdf
TL;dr: We can learn a lot from safes and safe locks, and the frameworks of cryptography and computer security are applicable there, too. The fact that our learning about this subject makes people in that industry upset is just a bonus.
I wrote that paper after I had moved from AT&T Labs to U. Penn. The Penn locksmith went totally apoplectic, and wrote regular angry letters to the dean and to the head of campus security warning about what an irresponsible, dangerous menace I am. But for whatever reason, his efforts were unsuccessful in getting me fired; the administration just forwarded me his letters, which I taped to the door of my office.
I wrote that paper after I had moved from AT&T Labs to U. Penn. The Penn locksmith went totally apoplectic, and wrote regular angry letters to the dean and to the head of campus security warning about what an irresponsible, dangerous menace I am. But for whatever reason, his efforts were unsuccessful in getting me fired; the administration just forwarded me his letters, which I taped to the door of my office.
It occurs to me that people outside the security field might find it odd that we openly publish stuff like this. Why help people who might use the knowledge to do bad things?
There are a number of reasons. The first is that only through open discussion are we able to identify and fix problems. Another, which is what motivated my work, is educational: you can't learn to defend systems unless you understand how they are attacked.
It occurs to me that people outside the security field might find it odd that we openly publish stuff like this. Why help people who might use the knowledge to do bad things?
There are a number of reasons. The first is that only through open discussion are we able to identify and fix problems. Another, which is what motivated my work, is educational: you can't learn to defend systems unless you understand how they are attacked.
So while openly publishing offensive security techniques might indeed help criminals, that harm is outweighed by significant benefits. Every properly trained computer science student should understand how to exploit vulnerabilities. Because the attackers DEFINITELY understand it.
The bottom line here is that while being the subject of attack by a deranged internet mob is never fun, sometimes it's the cost of doing business for doing interesting work.
And for those who yell at me for posting black and white photos or not putting content warnings on discussions of current events or not using enough hashtags or whatever, don't bother. I've stared down angry locksmiths and come out the other side.
So while openly publishing offensive security techniques might indeed help criminals, that harm is outweighed by significant benefits. Every properly trained computer science student should understand how to exploit vulnerabilities. Because the attackers DEFINITELY understand it.
I've gotten a few replies asking me if I regret publishing this or would do anything differently.
No. I'm proud of this work. I think it has value. I would do nothing differently. I am, evidently, remorseless and incorrigible.
@mattblaze@federate.social
The issue is not "how can I protect my 42 Rolex from thieves?" but "Why must a thief pick my 42 Rolex?", bringing to ask "Who taught to this person that to have 42 Rolex is good?", i.e. "Who invented the competition based on the possession of things?".
The bottom line here is that while being the subject of attack by a deranged internet mob is never fun, sometimes it's the cost of doing business for doing interesting work.
And for those who yell at me for posting black and white photos or not putting content warnings on discussions of current events or not using enough hashtags or whatever, don't bother. I've stared down angry locksmiths and come out the other side.
I've gotten a few replies asking me if I regret publishing this or would do anything differently.
No. I'm proud of this work. I think it has value. I would do nothing differently. I am, evidently, remorseless and incorrigible.
@mattblaze@federate.social
The issue is not "how can I protect my 42 Rolex from thieves?" but "Why must a thief pick my 42 Rolex?", bringing to ask "Who taught to this person that to have 42 Rolex is good?", i.e. "Who invented the competition based on the possession of things?".
Matt Blaze
