informa
Commentary

Are Lock-Picking Demos On YouTube A Bad Idea?

Amateur lock hackers who share their techniques may be improving security -- or endangering your life and property.
Amateur lock hackers who share their techniques may be improving security -- or endangering your life and property.A Slate article on the controversy over "locksport," in which lock-picking enthusiasts crack locks and share techniques and lock vulnerabilities, mirrors the computer security debate over full disclosure vs. security through obscurity.

The argument goes like this: Disclosure advocates say their efforts improve security by compelling lock manufacturers and software developers to address critical flaws. Those who prefer to keep the cat in the bag say the public release of vulnerabilities helps criminals and endangers the community at large.

I've always been on the disclosure side, because I think software vendors often need the heat of a public disclosure to promptly address vulnerabilities. It's also naïve to assume that criminals don't know about the vulnerability. Secrecy helps bad guys more than good guys.

But I'll admit the lock-picking story gave me pause. As the article rightly notes, there are key (pardon the pun) differences between hacking computers and hacking locks.

Software vulnerabilities can be fixed with a patch that is relatively easy to distribute. Massive security hole in Firefox? We can be reasonably confident of a new version of the browser within a day or so, and one click gets you the upgrade.

But when a would-be MacGyver discovers he can open the deadbolt on your front door with a toothpick and bubble gum, the manufacturer can't immediately churn out heaps of new gum-proof locks and dispatch armies of locksmiths to rip and replace all the vulnerable units out there.

As a father of two young children I have a strong instinct to keep them safe. Every night before bed I double- and triple-check that all doors and windows in the house are locked. To know that hobbyists are swapping new ways to jimmy those locks gives me the creeps.

But then I calmed down and thought about it more. A major software vulnerability and a major lock vulnerability can both affect millions of people, but the scope isn't the same. A computer criminal can attack thousands or millions of machines simultaneously, but house-breaker can only attack one lock at a time.

Also, I presume that criminals who keep up on the latest lock-picking techniques are probably going after higher-value targets, like Park Avenue apartments or Silicon Valley McMansions. The housebreakers likely to hit my neighborhood are opportunists who spot an open back door, or reckless types who'd just break the glass.

In either case, I haven't been adversely affected by the public sharing of lock-picking techniques. And if manufacturers are addressing major flaws uncovered by locksporters, I benefit every time I buy a new lock.

If locksporting still spooks you out, remember that defense in depth is the best security strategy. An alarm system -- including a prominently placed yard sign -- may deter burglars from testing their skills against your locks. Large, salivating dogs named Wolf, Widowmaker, or Chopper might also come in handy.

Recommended Reading: