Hacking locks instead of computers

One of the cool trends I've seen at different hacker events like Shmoocon and Defcon this year is interest in hacking physical security instead of digital security.  More and more people are getting interested in 'lock sports' or the art of picking and bumping locks for the sheer challenge of it.  The same curiosity that creates computer hackers is driving these people to learn everything they can about the internals of locks of every variety and shape.

Lock sports have a similar set of ethics as computer hacking originally had: do no harm, explore but don't do anything bad.  All of the lock sports people I've talked to so far have stressed the fact that they aren't learning so that they can break into the neighbor's house, they're learning just to satisfy their curiosity.  As they teach new people how to use their skills, it's made clear that there's a set of ethics that people are expected to follow.

In Europe, lock sports are an organized event with an annual competition called the Dutch Open.  Competitors from around the globe gather to see who can open a series of locks the fastest, a sport currently dominated by the German group SPASS.  These European groups cooperate with lock manufacturers to improve the design of locks.  Just as with computer hacking, lock sports enthusiasts see locks in a way that no classically trained engineer or lock smith could.

Unluckily, American lock smiths don't view lock sports with the same cooperative spirit.   For centuries a large part of the security of locks has been the obscurity of the information about the internal workings of a lock.  A group who's purpose is spreading information about locks, such as The Open Organization of Lockpickers (TOOOL) threatens that obscurity and many lock smiths believe that they lessen the overall security of everyone.  But as most computer security professionals already know, security through obscurity is a very weak form of security, easily broken and made worthless.  Rather than feeling threatened by lock sports, lock smiths should follow the European example and learn everything they can from the American lock enthusiasts.

The thing that scares me about lock sports is not that the people are spreading this information, but rather how truly insecure most of the locks we use today are.  Even though the technology of locks is centuries old, the real security of most locks is equivalent to the early days of the Internet.  I watched a friend pick up a set of picks for the first time at Defcon and within just a couple of minutes pick a very common lock.  A skilled picker could open the same lock within seconds, probably as quick as someone with the actual key to the lock.  I watched a 12-year-old girl bump a high security lock, used in government buildings around the country; one that was supposedly impervious to this type of attack.  Who do we blame for this, the young girl, a company who makes claims that are questionable or do we do neither and learn from the experience?

Lock sports are gaining in popularity and the security through obscurity that locksmiths have enjoyed for far too long is starting to evaporate.  There are going to be lock pickers who ignore the ethics groups like Toool espouse, but there are also locksmiths with questionable ethics.  The majority of both groups will continue to be upstanding citizens and use their abilities for fun and profit, hopefully for the benefit of the community at large.  It's just a question of whether the relationship between lockpickers and locksmiths will be cooperative or hostile.