Join 3,558 readers in helping fund MetaFilter (Hide)


High Security? Maybe.
May 28, 2009 12:22 PM   Subscribe

You are Medeco, one of the world's premier lock companies. And you think your super-secure locks are tight. Until, that is, some upstart troublemaker comes along, reverse engineers them and shows the world (via Wired magazine--with video, natch) showing just how (supposedly) insecure they are. Then this same troublemaker releases a book giving all your secrets away.

Wired article comes complete with overblown, panic-now headlines (Ultimate Lock Picker Hacks Pentagon) from the Wired writers. You think they had a contest?
posted by ostranenie (75 comments total) 29 users marked this as a favorite

 
I hate when I do that.
posted by Reverend John at 12:24 PM on May 28, 2009 [4 favorites]


I worked in a place that used Medeco locks. All the administrative staff thought those locks were hot shit, and the first time Medeco's "industry leading" security was brought up I thought, "Somebody knows how to pick those locks. It'll hit the web big, soon enough." I spent my time trying to pick the lock of a bulletin board case so I could hang fake fliers announcing my official awesomeness.

Turns out my predictions were right, though I never got that bulletin case open. So many bent and broken paperclips...
posted by Science! at 12:31 PM on May 28, 2009


this was a feynman fascination as well, I remeber leanring how to hack physical locks after reading his stories as a teenager. That and the MIT lockpick faq over ftp, or maybe gopher
posted by fistynuts at 12:31 PM on May 28, 2009 [3 favorites]


The same thing happened to my lock company, Twist Ties and Bent Coat Hangers Inc. I don't know how the hell they figured out that you have to unbend the coat hanger!
posted by Uppity Pigeon #2 at 12:32 PM on May 28, 2009 [10 favorites]


Between my Kryptonite bike lock and Medeco front door, I feel super safe.
posted by Tomorrowful at 12:34 PM on May 28, 2009 [4 favorites]


Reading Feynman was what got me into lockpicking ("Feynman the Safecracker" from Surely You're Joking, Mr. Feynman!). The best, though, was the one about how everyone was warned to keep their combination away from Feynman after he pointed out the various flaws with security (like using the default combination on safes containing ultra-triple-secure documents, and birthdays, and e and so on).

My jaw will really hit the floor when they crack X-09s and similar electronic combination locks. Nanotechnology, maybe?
posted by ostranenie at 12:42 PM on May 28, 2009 [1 favorite]


Marc Weber Tobias was prominently featured an earlier lock-related Wired story, The Lock Busters.
posted by Western Infidels at 12:43 PM on May 28, 2009


But how does it compare to the "Kryptonite lock vs. a ball-point pen" fiasco?
posted by happyroach at 12:43 PM on May 28, 2009


This is not exactly news. Medecos have been known to be vulnerable to "bumping" for a while.
posted by adamrice at 12:49 PM on May 28, 2009


Re: the Wired video, obviously this guy knows what he's doing, but in a real world situation (if a lock was actually installed in a door rather than being held in a vice) you wouldn't be able to hold your fingers above or behind a lock, nor apply pressure in those directions. Wouldn't giving your hands less room to move make the picking more difficult?
posted by roombythelake at 12:50 PM on May 28, 2009


I thought cryptographer Matt Blaze had brought this whole situation to light several years ago. Yes, his primary lock victims were the Schlage hierarchically keyed systems but he said he had success bumping all locks including Medeco and ASSA high-security locks.
posted by bz at 12:56 PM on May 28, 2009


Well, it's been true for a long time that locks don't really keep you safe from people who know how locks work - see the uproar around Matt Blaze's Master-Keyed Lock Vulnerability, for example, or the fact that lock bumping has been a well-known "in the locksmithing community" forever despite completely invalidating the idea of standard locks as a security measure.

Locks are good at keeping out teenagers and other mental defectives (which is, for the most part, more than enough) but beyond that they're good at drawing a clear legal line between where you should be and where you shouldn't, but not much else.
posted by mhoye at 12:56 PM on May 28, 2009 [3 favorites]


Oh just use thermite and a sparkler. Bloody amateurs. (Maybe, quite literally...)
posted by i_cola at 12:57 PM on May 28, 2009


They also don't protect you from losing a race to post relevant links to some other MeFi user. Even "preview" won't save you from that sometimes.
posted by mhoye at 12:58 PM on May 28, 2009


Re: the Wired video, obviously this guy knows what he's doing, but in a real world situation (if a lock was actually installed in a door rather than being held in a vice) you wouldn't be able to hold your fingers above or behind a lock, nor apply pressure in those directions. Wouldn't giving your hands less room to move make the picking more difficult?

They're not using those angles of access in their process at all, roombythelake. They're basically just resting their fingers on top of the lock because they can. In a real world situation, not getting your fingers on top of the cylinder won't matter at all. The work is being done strictly through the tools that they are using.
posted by NoMich at 1:02 PM on May 28, 2009 [1 favorite]


Despite Medeco's claim that the keys cannot be copied without the secret number, I had a cute assistant who could walk into the local locksmith with just the key, and walk out with a new key.
posted by StickyCarpet at 1:04 PM on May 28, 2009 [3 favorites]


roombythelake: "Wouldn't giving your hands less room to move make the picking more difficult?"

Not really. I'm just an amateur (member of SSDeV, though), but I can tell you that you basically only need two things to pick almost any lock: In most cases this is simply a pointy and a flat piece of metal; one moves back and forward by tiny increments (the distance between the sawteeth on a key), slightly up and down (the distance between the "mountains" and "valleys" of the key) and the other applies steady lateral force, moving only through a couple of degrees. You really don't need much room at all.

And bumping locks is just cheating.
posted by PontifexPrimus at 1:05 PM on May 28, 2009 [2 favorites]


You know those mechanical push-button keypad combination locks? A ridiculously determined friend of mine once got past one of those by brute-forcing the combination. There is no such thing as an undefeatable lock.
posted by Faint of Butt at 1:06 PM on May 28, 2009 [1 favorite]


> thermite and a sparkler

Cue Mission: Impossible theme. Or MacGyver theme. Or _______ (insert theme here) theme.
posted by ostranenie at 1:07 PM on May 28, 2009


The real "secret" to Medeco security is that patents make it illegal for anyone to copy their blanks...
posted by Slothrup at 1:09 PM on May 28, 2009


Aw, I thought it was going to be a Friday Flash Fun post when it started off all, "Assume roll Y, and do action X!" on me. And then I'd live out the one fantasy no video game had satisfied before: Lock Engineering Tycoon. Preferably, it'd play like this previously, or this other previously.

I'm really starved for a Friday Flash Fun, so much so that I want it a day early and bring it up in an irrelevant post. Also, I may as well also admit to wanting a new Zachtronics game, since I namedropped two of them.

That said, I protect my valuables by leaving notes that appeal to the burglars' sense of decency. As there is honor among thieves, I post a list of stuff I've pirated online, and tell them what torrents I'm seeding if they want some. I also invite them over for dinner or coffee on the note, and include an inspirational quote from Teddy Roosevelt beneath my signature.
posted by mccarty.tim at 1:09 PM on May 28, 2009 [3 favorites]


FoB: Those pushbutton locks are also known as "Simplex" locks and can be defeated very quickly (or ridiculously quickly if you know how "hard" the combination is--two presses versus three presses versus four presses for example) with a checklist, since using the same button twice in a combination is not permitted due to their mechanical makeup.
posted by ostranenie at 1:11 PM on May 28, 2009 [1 favorite]


Turns out my predictions were right, though I never got that bulletin case open. So many bent and broken paperclips...

If your strength is high enough you can just (F)orce Lock and it works every time, even for those locks in the Pentagon Citadel.
posted by rokusan at 1:12 PM on May 28, 2009 [1 favorite]


But how does it compare to the "Kryptonite lock vs. a ball-point pen" fiasco?

apparently it's the same guy.
posted by exogenous at 1:12 PM on May 28, 2009


The mechanical pushbutton locks (like the keyboxes used by realtors) do not pay attention to the number of times a button is pressed or the order you press the buttons.
posted by ryanrs at 1:13 PM on May 28, 2009 [2 favorites]


> thermite and a sparkler
Cue Mission: Impossible theme. Or MacGyver theme. Or _______ (insert theme here)


Yakety Sax. No question.
posted by rokusan at 1:13 PM on May 28, 2009 [3 favorites]


They're basically just resting their fingers on top of the lock because they can.

I think that was what I had a problem with. The fact that they are resting hands there implies that it's at least more comfortable doing it that way, because of course, if you're sliding tools in, it's easier to do when resting your hands above. Of course, I'm sure doing this on a real door would only slow him down a couple seconds anyway, but my point was that even if it's not cheating, it's not exactly a demonstration of a real world encounter. I guess I blame Wired more than I blame the guy doing the picking.

And on preview, thanks PontifexPrimus. I have no idea how this works, but was just curious with the presentation of the demonstration, and recognized that, if I was doing this as an amateur with clumsy fingers and fiddly tools, I'd totally rest my hand there as well, as a crutch.
posted by roombythelake at 1:14 PM on May 28, 2009


apparently it's the same guy.

Oh wait, I misinterpreted "he did" to mean "he discovered."
posted by exogenous at 1:14 PM on May 28, 2009


they're good at drawing a clear legal line between where you should be and where you shouldn't, but not much else.

As my grandfather always said (as he left his car door unlocked at all times), "locked doors keep honest people honest."
posted by Pollomacho at 1:14 PM on May 28, 2009 [1 favorite]


The mechanical pushbutton locks (like the keyboxes used by realtors) do not pay attention to the number of times a button is pressed or the order you press the buttons..

I worked someplace with one of those where the 3 digits that made up the combo were visibly worn down...
posted by nomisxid at 1:15 PM on May 28, 2009 [2 favorites]


After an office break in, a co-worker did a brute-force attack against a 5-button lock at the back of our office. After about 10 minutes, he was in simply by going through each possible combination in order. The location of the door was such that at night or on a weekend you could spend hours there without being seen. Those locks are provably useless.
posted by GuyZero at 1:28 PM on May 28, 2009


My neighbor, who rents his apartment, was going to lose his heat because the landlord was never around to let the gas company into the locked cellar for a meter reading. So my neighbor went online and ordered a lockpick kit. He studied the instructions for around 10 minutes. He then picked the lock even faster than that. He got a meter reading and submitted it online, problem solved.

I already knew it wasn't that hard to pick a lock, but I had no idea it was that easy.
posted by brain_drain at 1:34 PM on May 28, 2009 [3 favorites]


FoB: I used to work at a defense contractor (no, no one important) but we had a "secure" room protected by one of those Simplex locks (and, strangely, a dial combination lock as well). I had received a delivery on a Friday that had been placed in the room and the rest of the office had left. I wanted my delivery. A checklist and 5 minutes later I had my delivery. Well, it was also 180 lbs, so then I had to deal with moving it, but that lock was garbage.

I understand those locks have a "half-push" mode as well, but no one uses them.
posted by mjbraun at 1:57 PM on May 28, 2009


At my previous job, where locking things up was reasonably important, we used nothing but Abloy Protec locks. A quick look around some lock picking forums seems to indicate that these are still pretty well regarded. Of course there is always a way.
posted by markr at 2:02 PM on May 28, 2009


So is an ATM PIN next to useless?
posted by 3FLryan at 2:02 PM on May 28, 2009


3FLryan: ATM pins rely on two of the three common security elements ("something you have", "something you are" or "something you know"). You have to have a card (real or fake) as well as know the pin. Also, you get something like 3 chances at entering the PIN before the ATM noms your card. So it's not the same thing.

(BTW: "something you are" = biometrics)
posted by mjbraun at 2:06 PM on May 28, 2009 [2 favorites]


Ah. Thanks mj, that was a nice explanation.
posted by 3FLryan at 2:14 PM on May 28, 2009


Despite Medeco's claim that the keys cannot be copied without the secret number, I had a cute assistant who could walk into the local locksmith with just the key, and walk out with a new key.

I don't have a cute assistant, and I too was able to walk down to the locksmith and get a copy made of my medeco key.
posted by inigo2 at 2:24 PM on May 28, 2009


So why spend a hundred bucks on a Medco when it is really no more secure than a ten dollar Kwikset?
posted by caddis at 2:29 PM on May 28, 2009


Here is the heart of their exploit, apparently:

> An extensive analysis of second and third generation Medeco codes has allowed us to develop four keys that can be used to bump and pick virtually all non-master keyed Biaxial and m3 locks that were pinned to codes in the codebook prior to December, 2007. A maximum of sixteen keys will accomplish the same result for new locks that are pinned to Generation-3 codes in 2008.

So, basically, if you rekey your Medeco lock post 2007, then it requires sixteen specialized keys to pick, 2007 and earlier 4 special keys. Not sure, but you might be able to rekey earlier locks to the newer code level. If so, then you have a mess as to which set of keys to use, or both, on older locks.

So, if you know what year the lock was pinned, and have special tools, you can pick it pretty quickly. Without either of those two, the process is a bit longer. This isn't an any idiot and a hammer exploit, it requires planning, special tools, and a capable technician, so it would seem.

The wired test used two brand new locks, so they knew to use the 16 key set. If wired had mixed it up a bit, they would have still managed to open everything, but most likely not as rapidly.

Glue a lockpick onto the spout of a battery powered engraver, stick it in a standard lock and go bzzz, use a tension wrench to turn the lock. The result is pretty much any lock with standard pins will fall in a second or two. I've seen a locksmith do this, it isn't a theory.

So, Medeco locks can be picked, but not as easily as a regular lock. I think that it is good this came out, now we won't be fooled into thinking a determined, trained individual with resources can't get past one. Yahoos that can glue stuff will continue to be limited to lesser targets.

As an aside, some Medecos are standard, and others are restricted keyway. If the keyway is restricted that means it is a special shape and only the company that owns it can have the blanks. Medeco sells this right to a fair number of places, but they are all different. On standard ones, anyone that sells Medeco can have that blank, so Locksmiths are less worried about breaking protocol.
posted by Antidisestablishmentarianist at 2:33 PM on May 28, 2009 [1 favorite]


Those pushbutton locks are also known as "Simplex" locks

I used to work at a company that had a lot of NSA contracts. First day of work my buddy & I go out the back door for a smoke break, we didnt notice that the door was locked with a Simplex lock instead of the proximity card readers the other doors had. Took me 3 tries to guess the combo.

I worked someplace with one of those where the 3 digits that made up the combo were visibly worn down...

That's a common vulnerability for all pushbutton combination locks, except one vendor, Cypher Locks (no longer in business from what I can tell). Cypher used touch sensitive buttons with embedded LEDs that were randomly assigned each digit to be displayed. That way each button would get equal wear; even if you sprayed the keypad with a trace substance to see which keys were pressed, the next time you use the keypad each number will be assigned a different position.

A few years after I left the NSA contractor, I got a call from a friend who was still there. He was faced with opening a pushbutton lock & remembered that I had some way of defeating them. Turned out his lock was a Cypher, not a Simplex. My rep had grown a bit in my absence.
posted by scalefree at 2:34 PM on May 28, 2009 [3 favorites]


Christ, buy 10-20 cheaper locks and put them all over the door. Aside from your hassle, anyone attempting to break in would sigh with exasperation.
posted by flippant at 2:37 PM on May 28, 2009 [3 favorites]


ATM pins rely on two of the three common security elements ("something you have", "something you are" or "something you know").

There's now a fourth factor of authentication, geosecurity ("where you are"). It was independantly & more or less simultaneously invented by Dr. Dorothy Denning & yours truly, though she got the credit for it.
posted by scalefree at 2:40 PM on May 28, 2009 [4 favorites]


Soon Tobias was trapping racketeers through wiretaps and rigging hidden cameras in hospitals and churches to catch junkie night nurses and pedophile Catholic priests. ("That was really fun," Tobias says. "Especially as a Jew.")
Heh.
posted by Halloween Jack at 2:41 PM on May 28, 2009 [1 favorite]


The real "secret" to Medeco security is that patents make it illegal for anyone to copy their blanks.

And as we all know, thieves would never break the law.
posted by Chocolate Pickle at 3:02 PM on May 28, 2009 [2 favorites]


And bumping locks is just cheating.
posted by PontifexPrimus at 1:05 PM on May 28


I am totally putting signs that say "bumping locks is just cheating" above all my Medeco locks.

(But yeah. During a fairly brief phase in my life when I was also pretty into lockpicking, I got decently competent at it -- but I never came close to being able to open a Medeco. "Not close" is an understatement here -- in my memory those locks had demonic powers, malevolence that went way beyond the mere fact that the pins could pivot around and were serrated and god knows what else. Seeing those locks opened in this way is cool, but also a little like watching Superman get done in by somebody who just happened to drive a Kryptonite bus.)
posted by chalkbored at 3:11 PM on May 28, 2009 [1 favorite]


We got computer, we're tapping phone lines, I know that ain't allowed...
posted by Antidisestablishmentarianist at 3:27 PM on May 28, 2009


I taught myself to pick locks in an effort to keep my hands busy at a very boring desk job. We ended up getting a big knot of differing kinds of padlock and we'd just pass it around seeing how many we could get through.

Eventually, through lots and lots of use (and learning) I broke my picks, so I then taught myself how to grind new ones out of jigsaw blades with a Dremel.

It's actually a kind of nice feeling, knowing that with just what is in my head and some rudimentary tools, I can fabricate everything I need to get into most places.

Though, it's not lost on me that all the effort I put into learning this stuff is mostly irrelevant in the face of the fact that I can just as easily bypass all these same locks with either a sledgehammer, a pair of bolt cutters, or an angle-grinder.
posted by quin at 3:30 PM on May 28, 2009


Let's see him beat these locks!
posted by JBennett at 3:46 PM on May 28, 2009 [2 favorites]


Sure this is bad news for Medeco, but it's great news for paper clip companies!

Yes, the glass is half full.
posted by Blazecock Pileon at 4:03 PM on May 28, 2009


There's now a fourth factor of authentication, geosecurity ("where you are").

I'd like to preemptively claim credit for the 5th factor: "how you are". Feeling out of sorts? Under the weather? No cash for you.
posted by logicpunk at 4:26 PM on May 28, 2009 [3 favorites]


Let's see him beat these locks!

Just give me a sledgehammer, a pair of bolt cutters or an angle-grinder.
posted by Faint of Butt at 4:44 PM on May 28, 2009


Well, if you want to get into my locker at the gym, all you have to do is look on the back of my combination lock where I have scratched the combination because I can't remember shit anymore.
posted by digsrus at 4:49 PM on May 28, 2009 [1 favorite]


I thought that the Mul T Lock interactive was more secure, but there's probably a hack for that, too.

If this were to void Medeco's UL 437 standard for its cylinders, it would remove them from a whole lot of high security building specifications. That being said, almost every form of physical security has an exploit to defeat it. You can't just have mechanical security, you have to have electronic, too. Behind all that: A man (or woman).

It all comes down to the Wizard of Oz, I guess.

Tobias just seems like some sort of egomaniacal, giant-killing lunatic. There's an essential misanthropy that he's trying to hide behind his exploits. It's interesting, he's like Holmes and Moriarty all balled up into one conflicted person.
posted by Arquimedez Pozo at 4:51 PM on May 28, 2009


I'd like to preemptively claim credit for the 5th factor: "how you are".

You joke about it but come to think of it there actually is such a thing. Car ignition systems can be fitted with breathalyzers & simple hand-eye coordination puzzles to prove you're not drunk before starting the car.
posted by scalefree at 5:27 PM on May 28, 2009 [1 favorite]


Those "why you are" security systems are just cruel. Your parents tell you one day that you were an accident and your credit card immediately melts.
posted by Uppity Pigeon #2 at 5:40 PM on May 28, 2009 [3 favorites]


Outstanding post!

Posts like this are one of the reasons I love the Internet and absolutely cherish Metafilter in particular. Allow me to elaborate.

Perhaps because I'm 46, I'm noticing an historical context that's not really being touched on. Though I can tell many of the posters here pick locks or venerate the craft, I suspect that many of them are younger than me. Like Tobias, I started picking locks when I was 15, but in the 1970's. I bought a commercial HPC set from a supplier in Great Falls, Montana named "Prince E. Wheeler". I think "Prince" was his vaudevillian stage title. The pick set came with a small pamphlet that was next to useless as far as practical information on how to really pick pin tumbler locks. Nevertheless, I was determined, and through methodical practice and a great deal of time was able to start picking locks.

The point being that in the 1970's there was essentially ZERO information on HOW to pick locks! Unless you were a professional locksmith you simply couldn't get information on the subject, or at least I couldn't.

Somewhere in the 1980's the situation changed. Book publisher Mike Hoy was living in Michigan, and also found there were essentially no books available on the subject. As it happened, Hoy knew a man who called himself "Eddie the Wire", who made his own lockpicks. Hoy got Eddie to write a book on the subject.

Later Hoy moved to Port Townsend, Washington where Loompanics grew and became quite successful. Eddie eventually wrote four books on the subject, which were later re-published in one volume. Here is a set of lockpicks that Eddie made and gave to Mike Hoy.

Though my dedication to picking locks tapered off as I got older, it did prove useful when I had lots of waiting around to do.

By the mid 1990's, I had become more interested in making the picks than actually picking the locks. I had discovered simpler techniques than those that Eddie the Wire used, and had discussed with Mike Hoy writing a book for Loompanics. That project never came to pass, and by the late 1990's and early 2000's I could see the writing on the wall.

The Internet would change everything.

Back in the 1970's, picking locks was even more esoteric than using computers, and there was no popular information on the subject. Today it's just another subdivision of hacking. I've personally lived through it all, the desert of information nothingness, to one guy's books, to instantaneous, ubiquitous, and meticulously detailed information. And the craft has evolved enormously, too. It's like witnessing the transition from steel roller skate wheels on a 2 x 4 to Rodney Mullen.

For those younger than me who grew up with the Internet, you really have no idea what it was like growing up in an intellectual desert, as far as esoterica goes. The Internet at large and Metafilter in particular really do represent the glory of intellectual creation, and I'm glad to have lived long enough to witness something beautiful and profound like this.

Thank you. Thank you for for a profoundly moving post.
posted by Tube at 6:26 PM on May 28, 2009 [24 favorites]


The "what you are" security systems, on the other hand, are a good idea.

On the downside, you won't be able to send your doberman down to the corner store to fetch the evening's beer money any more. But once your electronic funds account is keyed to your humanity, no more worries about evil robots stealing your cash from the ATM.
posted by ardgedee at 6:31 PM on May 28, 2009 [1 favorite]


Coding contest time! How do you compute the shortest sequence of key presses that has every possible combination for a simplex lock?
posted by jewzilla at 7:46 PM on May 28, 2009


jewzilla: de Bruijn sequence.
posted by phrontist at 7:56 PM on May 28, 2009


I'd like to preemptively claim credit for the 5th factor: "how you are".

You joke about it but come to think of it there actually is such a thing.


dammit, you're right. And I completely forgot about Google's Mail Goggles.

So now I'm staking a claim to "why you are" security. Does God have a special plan for you? Or were you brought into being by the dumb forces of a cold, uncaring universe that has no special interest in whether you continue to exist? Either way: No. Cash. For you.
posted by logicpunk at 8:12 PM on May 28, 2009


> So now I'm staking a claim to "why you are" security.

Sorry, prior art.
posted by Antidisestablishmentarianist at 8:20 PM on May 28, 2009


Oddly, Wolfram Alpha doesn't know what to do with deBruijn sequences.
posted by scalefree at 8:37 PM on May 28, 2009


I'm working on an 'if you are' security system in which you must demonstrate beyond any refutation your existence to an AI that is also a determined solipsist.
posted by Ritchie at 8:45 PM on May 28, 2009


Sorry, prior art.

Yeah, I fail at metafilter today.

References:
Neale (2007). Post Title: City 7, comment 1902303
posted by logicpunk at 9:26 PM on May 28, 2009


I'm working on an 'if you are' security system in which you must demonstrate beyond any refutation your existence to an AI that is also a determined solipsist.

You must teach it ... phenomenology.
posted by dhartung at 9:28 PM on May 28, 2009


Time locks would be the fourth security element before geolocation.

I'm surprised that "high security" locks still use pins instead of plates.
posted by BrotherCaine at 9:38 PM on May 28, 2009


"That's a common vulnerability for all pushbutton combination locks,"

I've got an electronic push button deadbolt on my front door. I've side stepped this by coding three sets of numbers that include all the numbers on the lock.
posted by Mitheral at 9:43 PM on May 28, 2009 [1 favorite]


Are Disc Tumbler Locks as vulnerable to bumping/picking?
posted by BrotherCaine at 9:59 PM on May 28, 2009


I've got an electronic push button deadbolt on my front door. I've side stepped this by coding three sets of numbers that include all the numbers on the lock.

Party at Mitheral's house! The code is 1-2-3-4-5-6-7-8-9-0!
posted by Pollomacho at 4:33 AM on May 29, 2009


I think most people who design high security facilities will probably keep using these kind of locks because most people who do this for a living understand that everything is just a deterrent and/or a delay. If it takes you 30 seconds to break the lock maybe in that time a guard will see you or you will enter an area with other sensors that you trip unknowingly or a camera sees you or... its referred to as "defense in depth." I don't think anyone has any illusions that these things are unbreakable.

I think the comment above about this guy being a bit of a misanthrope is pretty right on because breaking these locks seems like a curiosity at best to me. Sure is cool you can do it, but what does it really gain you?
posted by zennoshinjou at 5:19 AM on May 29, 2009


I will patent "When you are" security, though it's a bit useless until someone creates a time machine.
posted by ymgve at 9:11 AM on May 29, 2009


1 point to phrontist.
posted by jewzilla at 1:00 PM on May 29, 2009


That's actually why this is a big deal, zennoshinjou. High security locks promise to keep out the bad guys for 10 or 15 minutes, depending on which national standard you're using. That time assumes best case conditions, a highly skilled attacker, and working in a lab environment. So even in an ideal attack, the Medeco lock promised to last for at least ten minutes. Tobias has shown that this is not true. Now you either need to fix the locks or increase the frequency of your foot patrols.
posted by ryanrs at 8:09 PM on May 29, 2009 [1 favorite]


At a hacker con I once met the CIA's locksmith. He told me about doing a site survey of a Defense contractor for their periodic security certification. He was doing a walkthrough of the facility accompanied by the contractor's SSO & came to a door at the end of a hallway. As they approached it the SSO fumbled for the proper key. The CIA's locksmith took a few quick strides & beat him to the door, then said "don't bother". He turned around & handed the SSO the lock. Yeah, some people really are that good.
posted by scalefree at 9:19 AM on May 31, 2009


« Older A Malay Eagle owl acting kittenish for the camera...  |  Too Lazy to Masturbate. One bl... Newer »


This thread has been archived and is closed to new comments