##33 N o n - Destructiv e n t r y Magazi E n e Medecoder ABUS Plus Ingersoll Tiger Team And More! MMaayy FFOORR LLOOCCKKSSPPOORRTT!! 22000088 WWeellccoommee For Locksport! I received a message the other night. It was Amanda, a friend of mine who has recently taken up lockpicking. She was complaining that the challenge lock I left at her house had pricked her with a metal splinter. I told her I was sorry, she simply replied: “I HAVE BLED FOR LOCKSPORT!” I have too actually, when I first tried to make my own picks. In fact, in an informal survey I found that 100% of NDE readers who were surveyed have bled for locksport. A staggering percentage! We give our blood to these locks and it’s worth remembering what they give to us. Locks provide us not just with physical safety, but with peace of mind. They are a staple of the civilized world. A lock says “someone owns this, it’s not for you.” It’s the dividing line between the public and the private. And for the lockpicker? A lock presents a chal- lenge, a never-ending supply of new puzzles and as our hobby grows. Fueled as every- thing is now, by the internet, we see more collaboration, faster progress and ever more clever solutions to the problems the locks pose. However, there are new challenges that we should have seen coming. Specifically, how to disclose this information. The trouble is, when we get excited at our discovery and bound off to tell as many people as we can, we are celebrating what a lock means for us, it’s been conquered, the puzzle solved, the code deciphered. Unfortunately, in doing so we risk destroying what a lock means to the rest of society. We have the power to redraw the line between public and private. To those who would contend that the only way to protect those people is to immedi- ately and publicly expose the weaknesses in their locks, I hope this issue of NDE can provide you with some fresh insight. The lock industry is changing for the better. They are opening their doors and welcoming some interesting new perspectives. I am proud to see NDE carry these exciting new stories. What happens when a lock manufacturer meets a lockpicker? Read on to find out. CCoonntteennttss TThhee TTiiggeerr TTeeaamm PPaaggee 55 bbyy DDoouugg FFaarrrree AA NNeeww DDaayy PPaaggee 77 bbyy JJoosshh NNeekkrreepp TThhee MMeeddeeccooddeerr PPaaggee 99 JJoonn KKiinngg’’ss hhoommeebbrreewweedd MMeeddeeccooddeerr && tthhee rreessppoonnssee ffrroomm MMeeddeeccoo tthheemmsseellvveess CCeenntteerrffoolldd PPaaggee 1188 PPhhoottoo bbyy MMiikkee BBrreewweerrttoonn AABBUUSS PPlluuss EExxppllooiitt PPaaggee 2200 OOuurr iinntteerrvviieeww wwiitthh JJaaaakkkkoo FFaaggeerrlluunndd ooff FFiinnllaanndd oonn hhiiss rreemmaarrkkaabbllyy ssiimmppllee aattttaacckk BBrreeaakkiinngg IInnggeerrssoollll PPaaggee 2255 JJoohhnn NNaauugghhttoonn’’ss iinn--ddeepptthh fifirrsstt rreeppoorrtt oonn IInnggeerrssoollll’’ss lleevveerr ppaaddlloocckkss NDE Mag Staff: Executive Editor Schuyler Towne Managing Editor Mike Brewerton Online Editor John Naughton Contributing Editor Doug Farre Writers: Tiger Team Doug Farre Open Letter Peter Field Medecoder Jon King Ingersoll John Naughton A New Day Josh Nekrep ABUS Schuyler Towne Photography: Tiger Team TruTv Promotional Material Medeco Centerfold Mike Brewerton ABUS Plus Jaakko Fagerlund Ingersoll Adam Ferguson Special Thanks: Creator of this typeface: josbuivenga.demon.nl Note: This pdf is best viewed in a “facing” page layout. To adjust this setting in Adobe Reader, click the “view” dropdown menu, ndemag.com select “page layout” then make sure that “facing” is checked. [email protected] Insecurity: An interview with some of the nation’s best known security experts. Being a lock picker as well as a security and technical enthusiast, when I first heard about a new show on truTV (formerly CourtTV) called “Tiger Team” there was no doubt in my mind that this show was going to be awe-inspiring. It promised lock picking, hacking, and social engineering in each episode. Not to mention sneaking around at night, using the latest high tech toys, and recording every second of it for the world to watch. So if you’re not excited at this point, you should be. The show is about a team with Chris Nickerson, Luke McOmie, and Ryan Jones, who are hired as Penetration Testers to test the physical, electronic, and procedural security of a target facility. Two episodes of “Tiger Team” aired on truTV December 25, 2007. Over 680,000 viewers tuned in to see the episodes that Christmas night, making it a very successful premier. As promised, the episodes were filled with lock picking, safe cracking, wireless network hacking, elaborate social manipulation scenarios, security system bypass, and tons of other stunts that made you think “Why didn’t I think of that?” Personally, I was a bit hesitant at first. I kept thinking “How much of this was staged?” However, after watching the episodes four or five times, I began to realize how professional these guys really were. Chris, Luke, and Ryan are some of the best Penetration Testers out there. These are their stories. Chris Nickerson (aka “Indi”) Chris’ story is by no means unique. Like most technology geeks, he started out young, breaking and fixing his parent’s computers. As a teenager he began messing with the phone systems and running BBS’s out of his house without his parent’s knowledge. Sounds familiar, right? Chris went on to college and specialized in virology, although his main interest was partying. It didn’t take him long to realize that he didn’t like school very much, so he joined the military where he worked in intelligence. This is where it gets a little more exciting. After leaving the U.S. Army, he started to gain most of the major computer defense skills that he uses today. He worked at a law firm that defended the tobacco industry, and got his chops in virtual and physical security, as people constantly tried to hack their way in to gain insider knowledge on the case. After the case was over Chris left the law firm to become a Chief Security Air-Tech at Sprint for seven years, then to KPMD to begin his career as a penetration tester. He currently works at Alternative Technology (who bought out KMPD), in Denver Colorado where he is a Team Leader and a Senior Security Consultant. Chris has a fascinating personality. On the show, there is no doubt that he is the Team Leader. His ability to manipulate any social situation and extract the exact information he needs to accomplish his goal is flawless. He does this without the least bit of sympathy for the emotional tolls his broken promises may inflict upon those involved. An example of this can be seen in the episode “Car Dealership Takedown”. Chris promised several employees of the dealership that he intended to purchase a half-million dollar car the following day. Chris explains to NDE, without a quiver of sympathy in his voice, how angry and hurt the salesmen were (and still are) when they discovered he was not really buying a car. Had I been in Chris’ shoes I would have felt bad for the guy, but I imagine that as a professional you can’t worry about such things. Ryan (aka “Lizzie Borden”) Ryan just might be my personal favorite, and if you’ve watched the premier episodes then you will understand why. This guy can only be described as a finger-print-dusting, lock picking, and safe cracking machine. He picks through locks under some very stressful conditions without even flinching. Like many others in this field, Ryan first discovered the hobby when he found the MIT Guide to Lockpicking back in 1992. He described to us the perks of growing up in New Orleans after Mardi Gras, and the abundance of street sweeper bristles left behind that could be used for manufacturing lock picks. Although Ryan argues that his computer skills are also up to par, I had already heard what I wanted to hear. I mean, how often do you get to talk to a guy who gains entry by lock picking, sneaks around places at night, and professionally avoids tripping motion sensors and magnetic door alarms for a living? Although, we did manage to catch the following: Ryan started young, like Chris, with computers, phones, and the early days of the internet. He eventually decided to try college, where he made a semester long attempt to study computer science. He then started his career working for phone companies, and dot-coms, where he developed his interest in security. His next step was IBM where he did penetration testing and risk assessments, similar to what he continues to do today at Alternative Technology. Luke (aka “Pyro”) Luke’s childhood was very similar to Ryan’s, and Chris’, finding his interest in computers at age 11, and never changing his hobby since. At 16 Luke was already doing hacker work in various groups and eventually began working for the government in addition to security consulting. He later attended college where he studied computer science for over three years, until he found himself expecting two children and was unable to finish. Eventually Luke found himself at KPMD where he met Chris and Ryan. He picked his first lock in August of 2002 at Defcon. He says “Everyone remembers the first lock they pick”, as he recalled the Master Lock cylinder that introduced him to his new hobby. Chris, Ryan, and Luke all joked about how their first marriages failed, due to their constant traveling, late nights, and heavy workloads. Chris and Ryan say they learned from their mistakes, but after Luke broke it off with his first wife, he was the only one to remarry, and it was with his rebound girl. Sorry Luke. Although the team doesn’t like to admit that they are individually better at any one skill, it was quite apparent to us that Luke has a way with computers. He pretty much said it himself when he told us that his favorite types of jobs were network incident response and black hat assessments. It didn’t seem to upset Chris, Ryan, and Luke too much as they described how truTV has no more plans to continue the series after the premier episodes. I assume it was because of the conflicts they had while producing the episodes. They had nice things to say about truTV itself, but didn’t appreciate all the backroom politics associated with the production company on the project. Although truTV has stopped communicating with the team, other networks have showed interest in the show. In fact they are hoping the show will sell to another network so they can cover a deficiency of $250,000 in production costs left over from the project. Post production for each episode of Tiger Team costs around $285,000. Chris, Ryan, and Luke said that although they had to take a pay cut from their normal jobs at Alternative Technology to do “Tiger Team” it was all worth it. The said they would look forward to doing it again if they had the opportunity. Doug Farre Contributing Editor, NDE Magazine On The Job: The crew of “Tiger Team,” ready to roll out. It’s a New Day: Security Through Obscurity & the Locksmith Industry It seems that everything changes over time, but the physical security industry has changed dramatically and it will never again be the same. For hundreds of years the locksmith trade has been one of precious secrets and knowledge, passed from journeyman to apprentice, from father to son. That was the old paradigm, or what some might even call “the good old days” of locksmithing. Today, anyone with access to the internet can discover “secrets” that were previously possessed by only a select and trusted few. The old paradigm no longer fits and it hasn’t for many years. While some may wish to blame locksport, it has been this way for longer than locksport has existed. It is left to the professional locksmiths to grow and adapt to this new world and satisfy the needs of their customers. In days of old, the “lock smith” was the one who actually made the locks. They worked hard to develop the best possible lock, carefully guarding their secrets. They truly aimed to create security for their customers. Since it was they who crafted the lock, it was they who knew every detail of it, details they certainly didn’t want falling into the wrong hands. And so it was for generation after generation, and the system worked reasonably well. Something changed though, and it wasn’t the proliferation of the internet, where secrets are passed around more rapidly than a doobie at a Grateful Dead concert. No, it was much, much earlier than that. What changed? Locksmiths stopped making locks. Indeed, it was this shift that changed the face of the industry. The role of the locksmith changed forever. They were no longer craftsman, they were knowledgeable experts. They were no longer builders and designers, they were installers and troubleshooters. The locksport community didn’t do that to them. It wasn’t even conceived of yet. It was the economy of mass production that irreversibly changed their role. It is not to say that locksmiths needed to know less. In fact, one could easily argue that they needed to know more, with the need to know about the wide variety of products and options available to the consumer. Locksmiths continued to serve a vital role in society, but that role had changed. So what’s the problem? The problem was, and in many cases continues to be, that many of the “old ways” remained. Left unchanged was the desire to protect valuable “trade secrets” and other such pieces of information that, at the end of the day, amounts to nothing more than knowledge of vulnerabilities. To some extent, this was done to protect their trade. While it’s an understandable position to take, it’s not necessarily helpful. Add to this a second influence that came in the form of pressure and expectation from the manufacturers. In some sense, locksmiths have become the salespeople for the lock manufacturers. Locksmiths even invest large sums of money to gain “authorized reseller” status from leading manufacturers. With all this invested, it’s easy to understand why they would hold to their old position of security through obscurity. This does present a serious question to consider: If locksmiths are influenced by pressures to protect their industry and to protect the interests of the manufacturers they represent, then who shall stand as advocate for the consumer? This is the question of the moment in the physical security industry. Before the angry responses begin to fly, it might be worth the effort to note that not all locksmiths can be painted with the same brush because each locksmith may choose to conduct their business as they see fit. There are numerous locksmiths that hold, as the single highest matter of importance, their responsibility to the consumer. With others, the interests of the consumer have been shuffled down on the list of priorities. The proliferation of the locksport community, though still in its infancy, has emerged from those who simply have an interest in the products they use to secure their person and property, and the limitations inherent within those products. Indeed, few enthusiasts set out to “change the world” in any meaningful way. However, in many cases some have stepped up to become the de facto advocate for consumer awareness. This role would not need to be filled if the locksmith industry at large was fulfilling that need. It is wise in any industry to consider the needs of the consumer first, because clearly it is the con- sumer that drives the industry. For far too long they have been left in the dark concerning the vulnerability and risk to which they were subjected. This is made evident by the reaction of average people when they view media stories on the “bumping” technique. Their shock and discomfort serves to show us that the physical security industry has done a poor job of informing the public. Locksmith trade groups claim that the technique has been known to locksmiths for decades. If this is true, why was the public not informed or the vulnerability corrected? Some argue that it is the public release of information, such as bumping, that creates the vulnerability. The argument is that bumping attacks were uncommon or even unheard of before information on the subject was released widely. There is just enough truth in that argument to make it dangerous. The problem, of course, is that the technique was used. Because bumping leaves little in the way of physical evidence, it is difficult to accurately judge how often it was used. One can’t help but wonder if the victims of these crimes would be pleased to know that the locksmith that sold them the lock may have known of the threat, but chose not to inform the consumer. Were those victims better off not knowing of the problem? The issue of security through obscurity is a dead concept in virtually every area of security, except the locksmith industry. Computer professionals and corporate security advisors have long recognized that security through obscurity can act as one of many layers in a security plan, but left to stand on its own it is disastrous. Anyone doubting this might consider a preview of Kevin Mitnick’s The Art Of Deception. Despite this, the locksmith industry continues to hold tight to its old ways. This article is an extrospective look at the locksmith industry. That is to say it is written from an outsider’s point of view. The author writes from his own perspective only. Before anyone lines up to state the irrelevance of the author’s perspective, it might be worth noting that the author is, himself, a consumer in the physical security industry. If this consumer’s perspective is considered invalid, does it not serve to validate the article itself? Food for thought. Josh Nekrep President, Locksport International Administrator, LockPicking101.com The Medecoder by Jon King, Peter Field & Schuyler Towne Prodigal Sons & Responsible Disclosure I’ve never spoken directly to this audience about how I entered the world of Locksport. Back in 2006 I was attending the Hackers On Planet Earth (HOPE) conference with some friends. They dragged me along to a talk on lockpicking, a subject which had never held any attraction for me before that time. The talk was two hours long and featured Barry Wels and Marc Tobias. It was incredible. Barry, in particular, amazed me. He was like a very quiet magician on that stage. He spoke to the audience candidly while opening locks casually. Each time a lock popped it was thrilling to me, his relaxed manner, his absolute confidence that the locks would open, and his perpetual half-smile left an indelible impression. Afterward I approached both men as they sat in the lobby of the Hotel Pennsylvania. I thanked them and asked Barry if he had any clubs in America. I mentioned that some friends of mine and I wanted to start picking locks together. He told me to come see him the next day and he’d give me all of the information I would need. So, at 3pm the next afternoon, on the last day of HOPE #6, I met Barry once again and he introduced me to Omikron, Eric Michaud & Eric Schmiedl. I remember they looked confused to have Barry introducing me. Before I could reflect on it he announced: “You four will be my Board of Directors for The Open Organisation Of Lockpickers, U.S.” It was quite a shock. I was thrown in the deep end, just 24 hours after discovering how a lock works. During the following weeks and months, I learned a lot, I worked hard and started competing. There were people who helped me along and I was lucky to be able to bounce ideas off of some of the best mentors in the world. Now, less than two years later, NDE Magazine is up and running in stable condition. It has found itself planted firmly in the middle of some incredibly talented people, ready to introduce them to one another and tell their stories. I could not be happier. I mention all of this because it is absurd to me that one morning in April, I found myself in the kitchen of a sailor in the U.S. Navy, who had worked tirelessly for months to develop a tool to aid in the picking of Medeco locks. Sitting across from us, quiet, curious and unassuming, was the head of Medeco research and development. Which begs the question: “Why was I there?” The Prodigal Son At the 2007 Dutch Open, Peter Field, the man from Medeco, was slated to give a four hour talk on lock engineering. It ran for over five. As compelling and comprehensive as the presentation was (and as entertaining as the Frenchman sitting beside me was, whispering as each slide came up: “Ah yes, this lock, let me tell you how we defeat this lock...”) what stood out most to me were his opening words: “Let me just say, in case no one else has, welcome to the industry.” To a room full of lockpickers, he says “Welcome.” That is not the reception those of us on this side of the Atlantic are used to. To be clear, in both our private and public lives we have been called criminals, miscreants, thieves and far worse.