First off, an introduction is in order. My name is Greg Houser, and I’m one of the new fish here at exida (no, that’s not a typo – the ‘e’ is lowercase in “exida”). And this is the first, of what I hope to be many cybersecurity blog posts I will be posting to the exida website the future. I must admit that it’s a bit weird to be writing about cybersecurity as a topic, as prior to my position with exida, I worked for over 17 years with one of the largest companies in the defense industry. Not surprisingly, they weren’t very big on having employees talk about their experiences with the company, or anything regarding their job. When I saw that not only do the engineers at exida blog about all manner of security topics, but that the company actively encourages it? Well, it took a bit for me to get my head around. And after speaking with a few people about how to kick things off, I thought the chatting about something on the lighter side would be the way to go.
Fair warning up front – I’m a bit more causal writer than most when it comes to cybersecurity topics, but don’t worry, we’ll have some fun along the way.
So let me start by telling you about one the more amusing ice breakers I enjoy using at parties. It just so happens to be telling people about the first thing that I learned at college. Now my first weekend at college was like most people’s, full of excitement and a little bit of anxiety about how I was going to fit into this big new world I was now becoming a part of. As part of the normal first-year traditions was a visit from the Resident Assistant, who was a very friendly guy named Ron. After the initial introduction and welcome, Ron invited my new roommate and I to stop by his room to learn a bit more about the campus and to receive some information that each of the students were required to receive. Being wide-eyed first-year students, we were all too happy to oblige, plus… he had a TV, which was a rare commodity at the time. So later that evening, we stopped by and while going through the required items that every new student to the dorms was supposed to perform, I couldn’t help but to take in everything that was around me. It’s a natural thing for me, but especially now, I was a sponge. One of the items that caught my attention was a pair of handcuffs hanging on a wood beam used to support his loft. Me being me, I couldn’t help but to make a joke about the handcuffs, which garnered a response I was not expecting. Ron promptly took the handcuffs and asked me if I wanted to see him get out of them using nothing more than a paperclip. Absolutely!!! First weekend, and goody hijinks already? This was too good to be true! So, Ron secured the handcuffs around his wrists, reached over to his desk and picked up a paperclip, and in the blink of an eye he was out of them again.
I spent the rest of the weekend bugging Ron about how he was able to get out of the handcuffs until he finally showed me. Now, I can honestly say that the first thing I ever learned at college was how to get out of police-issue handcuffs using nothing more than an ordinary paperclip.
What I didn’t realize at the time was that this moment would my gateway into a very addictive pastime for myself during my freshman year, and that this weird little hobby that I picked up would serve me very well throughout the rest of my life.
“That’s great, Greg… why should I care?”
Well, there’s a reason I mentioned the topic. You see, lockpicking is nothing more than a physical version of what cybersecurity practitioners, and specifically those who enjoy penetration testing, do in the digital world. There’s a reason that lockpicking is a regular track at hacking conventions. When you think about it, it makes sense: hackers have traditionally learned how systems worked, what makes them tick, and how to get them to do things they weren’t originally intended to do. Cybersecurity controls are designed to keep people out or to restrict their movements within a computer system or environment. Locks are just physical manifestations of this same concept. Kind of a match made in heaven if you ask me.
Let me be frank, it’s a hobby/skill that takes a bit of time to develop, not to mention patience, and a bit of luck. It’s one of those things that is just as much of an art as it is science, which become readily apparent when you see anyone with talent pick a lock.
In general, lockpicking is a simple enough concept – you attempt to line up the pins and turn the chamber of the lock. If you’ve done it right, the lock opens. When you think about it, a cybersecurity control isn’t all that different. If you can figure out the correct permissions and find a way to replay them in the right way, the system grants you access. Simple concept, but the execution is much, much harder (both when it comes to lockpicking, and with cybersecurity). You’re not going to consistently (or quickly) be seeing success from your efforts when you first start. And you’re going to find that different types of locks present different challenges when it comes to trying to defeat them, much in the same manner that different cybersecurity controls require different techniques to defeat (which is why the concept of “Defense in Depth” is such an important one in any cybersecurity architecture). You need patience, a light touch, and knowledge. Wait… these are some of the very same traits you want to have when you are designing a security architecture or performing a penetration test. What a coincidence!
So, aside from being a quirky/cool trick to impress your friends with, and the corollary between cybersecurity and the physical security of a lock, what are the benefits of learning to pick locks?
Here’s the obvious one: it teaches you to think like the enemy. If there’s one thing that I usually run into an issue with when working with other Security Engineers, is that they’re really good at figuring out how to secure a system, environment, or device, but not very good at thinking about how to abuse those very same systems they’re charged with protecting. To be fair, thinking like an attacker requires a different mindset, and one that is completely opposite from how most people operate. It just goes against of our better nature, right? Lockpicking teaches you to go against the grain. It challenges you to think about how to get a system to do something that it wasn’t originally intended to do. Additionally, it further pushes you to do so in the most efficient way possible. It also teaches you to be more observant when it comes to identifying flaws. There are many ways to pick a lock, and each type of lock presents its own challenges and skill requirements. Each method of lockpicking (and there are more than you can shake a stick at) has its own advantages and disadvantages based on the situation. The same can be said with any cybersecurity control. Lockpicking teaches you how to look at things, and in particular, to look for the flaws, from multiple angles without getting locked into one specific mindset.
It teaches patience. There’s no way around it. You need patience to pick a lock. If you’re careless, you’ll end up with broken tools and possibly even a broken lock. It also requires focus, because without that, you’re not going to notice when you’ve properly set a particular pin on a lock, and you’re going to end up going nowhere fast. When you’re picking a lock, the lock communicates with you via feedback. The internal mechanisms of the lock tell you what the device is doing, even though the manufacturers don’t want you to know the inner workings of the device. Patience and focus allow you to properly observe these things and to understand what these messages mean. The same goes when it comes to cybersecurity – when you rush through things, you’re more likely to miss flaws, to make mistakes. How many times have we read about a cybersecurity breach where the root cause was a misconfigured device or a glaring hole in the system architecture caused because the design team was rushed? Lockpicking forces you to come to terms with the reality that sometimes it’s going to take a few different techniques to get past an obstacle, and that you must use all of them patiently (NOTE: your manager and/or business planner will probably disagree. Just toss them a lock and a set of picks and they’ll eventually come around).
Lockpicking is also a terrific way to better develop and hone the skills one needs to perform “visual thinking” (which is a nifty buzzword for a person to think about information by using pictures instead of words). This is one of the main reasons that lockpicking keeps me coming back for more after all these years. I was not the world’s greatest visual thinker by nature. If you gave me a diagram or sketch (or the opportunity to make a few drafts of my own) I was good, but otherwise I’d occasionally run into trouble. Lockpicking taught me how to visualize things much better. In short, I had no other option if I wanted to be successful with it. The fun part is that it really taught me how to visualize security systems and controls. If I could visualize how a locking mechanism, such the lock on a safe or even a simple Master key lock operated, it didn’t take much to stretch that muscle into visualizing how the security architecture for a particular environment worked. Just as importantly, it lets me visualize any flaws that might be present in that architecture.
Perhaps the most important thing that lockpicking can teach us is that every lock can be opened. Let me repeat that – EVERY LOCK CAN BE OPENED!!! It is the very nature of a lock to open. It is also the very nature of a lock to close, but only to those who do not have the right credentials or need to access. A lock is not meant to stay closed to everyone, but to let the right people in, and that is its fundamental flaw. Those who pick locks understand this. All they need to do is to somehow, some way, get the lock to open for them even though it shouldn’t. It doesn’t even have to open in the way it was originally designed to be opened. The person attempting to pick a lock knows that the lock will open given the right technique, therefore it can be opened. Herein lies the lesson: There is no perfect security. I’m going to repeat this one as well – THERE IS NO PERFECT SECURITY!!! I’ve lost count of the number of times in my career where I’ve heard someone tell me a device or system was “100% secure” or that it was “impossible for an attacker to get past our defenses”, only for a penetration test (or worse, and actual cybersecurity event) show that there was an exploitable flaw in their architecture which allowed an intruder to gain access, and in some cases, control of their environment. Lockpicking teaches the cybersecurity professional that every system they encounter or develop has a flaw in its design. Put another way, every lock has a key – what kind of key can tell you a lot about how to get past the lock.
In conclusion, lockpicking is one of the more particularly interesting ways that I’ve found to develop deeper skills as a cybersecurity professional. For those who are interested, I highly recommend hitting YouTube, becoming familiar with the MIT Guide to Lock Picking, and picking up a starter set from Sparrow or Peterson, and asking lots of questions on the lockpicking subreddit.
Worst case, you might have a fun ice breaker to tell at parties.