Getting into a computer system is an art. It takes talent, patience, knowledge and a lot of luck. While most polling, selecting, and testing takes place in long lines of code on a computer screen, the process is the digital age equivalent of picking a lock – a skill that many hackers also own it.
At the Eleventh Hackers On Planet Earth Conference, a gathering of programmers, hackers, and scientists in New York City, one of the largest sections of the main floor of the conference was not devoted to computers. Instead, it was an open room with rows of long tables called “Lockpick Village”. Inside, sharp metal picks and tilted “turning tools” littered tables covered with white linens, and participants sat leaning over padlocks, not keyboards. Volunteers, recognizable by their black t-shirts emblazoned with TOOOL, the open organization of crocheters, walked the rows to offer their help.
The little clicks and scrapes of the picks working on the locks rustle around the room.
It’s “almost like the knitting needles of older women,” says Kristi Farinelli, a software programmer in her twenties working on a MasterLock padlock.
TOOOL is a 501 (c) (3) nonprofit that promotes “locksport,” as hobbyists call it, with chapters in most major cities across the United States and a handful overseas. There are two “golden rules” to the organization: don’t pick locks you don’t own and don’t pick locks you rely on. In other words, don’t commit a break and enter offense or compromise a lock that you need for your own safety (if you break a hook in your front door, that’s a problem).
The US branch of TOOOL started at the HOPE conference in 2006, and has been a staple of hacking conventions across the country ever since. It turns out that hackers love to break into physical locks as well. Most followers of the HOPE conference see hacking as a mindset rather than a particular skill – in its essence, hacking is about pushing and questioning the limits imposed, testing things to see what happens. This mantra applies just as much to locked doors as it does to closed computer networks (which, by coincidence, are often found behind locked doors), so physical lockpicking has always been part of hacking.
“It’s the same as digital security, except you look at physical vulnerabilities,” says Max Power, TOOOL member of the Boston chapter. Some hookers frequently participate in pen tests or penetration testing exercises, where they use a combination of skills, including lockpicking, to test the security of a business facility. Penetration testing is common in physical and digital security. Organizations like the Pentagon hire security researchers and “white hat” hackers to test their digital and physical defenses.
Here is Power showing how to pick a lock:
“Locks are definitely the tangible equivalent of online and electronic security,” says David Fiddler, security expert at SEREPick, a company that trains military and law enforcement professionals in escape techniques. and infiltration such as locking doors and opening handcuffs or other restraints. “Just as cybersecurity experts focus on exploits and insecure points in the digital landscape, so they see locks in the physical world. Locks are just potential security holes in real life. Fiddler said many penetration testers, like Power and its TOOOL cohorts, also use social engineering to test the safety of their customers.
Like hacking, lockpicking is often grossly distorted onscreen. The real thing isn’t a complicated process, but it does require a tremendous amount of skill and dexterity to master. Pickers typically use two tools: a hook, which is a thin, bent piece of metal of different shapes (depending on the type) used to push the lock pins into place, much like a key. The turning tool, a flat L- or S-shaped piece of metal slides into the bottom of the keyway and is used to maintain light pressure on the “plug”, the center of the turning lock. When the preparer places the pins in the right place, the socket turns and the lock is opened. In real life, it’s much more difficult than that, but with a little patience, a complete novice can open simple padlocks and TOOOL’s one- and two-pin drive locks after about 10 minutes. Yet Hollywood generally persists in putting on ridiculous representations of the practice – caps that don’t turn, locks that are hooked with one tool. There are a few big exceptions, which Power and his colleagues Nite 0wl and Deviant Ollam pointed out during a HOPE convention panel on “Lockpicking On Screen Versus Real Life”. Linda Hamilton, star of Terminator 2, actually learned to choose for the role, and her entire escape scene was chosen in real time, using multiple takes until she was successful.
Another major exception, of course, is that of the United States. Mr. Robot, who has consistently nailed down every detail of hacker culture, including lockpicking. In the fifth episode of Season 1, protagonist Elliot breaks into a secure data center, picking a lock with both a hook and a spinning tool. Except that he realizes then that it is the wrong door and that he has to retrace his steps.
Ollam burst out laughing after showing the audience this scene at the HOPE convention.
“I can’t even tell you how many times we’ve tested a setup and picked the wrong door, like ‘well, now we’re out! “” he said, while Power and Nite 0wl laughed. Like hacking, lockpicking isn’t flawless. When you open a door it’s hard to tell what’s on the other side, but the hacker mentality means always having the skills and tools to find out.