 So, now to our next talk. Lockpicking has been connected to hacking for quite a long time. For example, I picked my first lock four years ago at the OHM 2013 here in the Netherlands. And it was quite fun. There were a huge group of people interested in lockpicking. But interestingly enough, I've never really heard a talk about lockpicking, especially about the darker side of lockpicking, about the attacks that you can do. Our next speaker has been a black hat locksmith for some time in the past in his life. Now he changed. Now he helps companies figure out where there are the holes in their systems. He claims there's no lock that can't be picked. He claims there's no side that is completely secure. So now he's going to tell us a bit about the darker side of lockpicking. Please welcome to the stage Huxley Pick. Thank you. Okay, welcome to black hat locksmithing. So before we start, everyone knows the difference between a black hat and a white hat, don't we? Yeah, just in case you don't. A black hat is someone who uses their skills to steal and be generally naughty. And a white hat is someone who uses them to protect and to help people. And this is the black hat variety. The obligatory waffle about me first. I'm Matt Smith, otherwise known as Huxley Pick from Off of the Internets. My first love of security subversion came with social engineering. So very often this involves making things like this, amongst other things, and getting into big sporting events and music festivals and hacking events, that sort of thing. And never worked for Oxman, just in case you were wondering. Then it was more about IT security when I was a software developer and scarter systems engineer. And about 13 years ago, I got into lockpicking, which turned into locksmithing, which turned into tool making. And now I make very specific tools to open very high security locks. The picture we can see here, this is lockfall towers, this is where all the magic happens. It's actually my cellar. It is my cellar, not my parents, just in case. And I like to look for things called physical odays, what I call physical odays at least. And that's exactly what it sounds like. So it's an undisclosed vulnerability in a physical locking system that no one knows about yet, so the public or the vendor. That's enough about me. So on locksmiths the good guys, not always. I'm going to go through some examples of thieves and prison breaks and some secret locks, some secret tools. I'm going to show you some stuff that I've not released before, but this is all my work. So I'm not going to show you practically how to steal things. That'd be irresponsible. And I'm not going to be showing anyone else's tools or techniques. Anything I show today has been on the internet at some time, if not anymore. So locks or security devices, they exist to stop people breaking into your house, stealing your car, stealing your bike. So if you had nefarious intent, you'd be really, really interested in getting through these things. And it brings us to the age-old adage that locks only keep honest people out, which by and large is very true. If someone wants to get through your lock badly enough, then they're going to do it. This is an example of a very old lock. This is 4000 BC. It's an Egyptian lock. Now we changed the design of this lock at some point. We still don't use wooden locks today. So I think it's fair to assume that this wasn't the most secure lock in the world. And so I think it's also fair to say that these were picked and blackout locksmiths have been around ever since locks have been around. So what motivations might someone have for picking a lock that doesn't belong to them? Any ideas? Anyone? Money! Theft! Yeah, treasure, of course. Built the money. Other motivations? Freedom? By this, I mean escape from captivity, not overthrowing your oppressive English overlords. Of course. These guys, the alphabet soup authorities, so the KGB, the CIA, you know the ones. These guys have been into lock picking ever since they've existed. And these guys have got lots and lots of public money to spend. Very often their tools are the most amazing, intricate works of art. But because of their very nature, we very rarely get to see them, which is a real shame, I think. They have enough money to use the very best manufacturing techniques, the very best materials, so they should be good. Later, I'm going to be showing you a couple of the stars' declassified tools. Well, I'd say declassified. The stars, you don't exist anymore, of course. But it gives you a useful insight into where the secret world of lock picking was 30 plus years ago, and it's quite scary. So if these guys are going to want to get through your lock, they're going to want to do it in one of two different ways, surreptitious or covert. So covert is when the lock's been picked. But if you remove the lock and take it to a forensic locksmith, they can look at it under a microscope, and there will be telltale scratches and signs that tell the forensic locksmith exactly how that lock was opened. Surreptitious, on the other hand. This is like the holy grail of entry for these guys. It leaves no trace at all. It's as if you've used the key. No one would ever know. And they love tools that do this. And it brings into question, what are these guys anyway? A black hat, white hat, gray hat. It depends on your nationality, I guess, or your political motivations. It's a very hard line to define in this case. I can attest to this. A lot of lock pickers do it just for the challenge. It's like a mechanical puzzle. And there are always harder locks to try yourself against. So it never gets boring, which is good. And somebody's always going to have some crazy motivation for picking a lock that doesn't belong to them. We all know what one of these is, all right? Look at the teeth on that. OK, so first up, to say confession is good for the soul. And a long time ago, in a former life, this is my confession, at least, I had a penchant for taking money from vending machines. Now, I saw this as very low-hanging fruit. It almost seemed too good to be true that there was this big box of money behind this lock, very often unguarded. But my career as a vending machine bandit didn't last long. It soon, to me, became about the challenge of opening the locks, which turned into locksmithing and so forth. So my hat was changed, just like that. Now, I shouldn't have to say this. Standard disclaimer, don't steal from vending machines. Don't steal. Full stop. And just to reinforce this, there was a guy in the UK a couple of years ago. He was stealing from the parking meters, we can see here. Now, he wasn't picking the locks, he was forcing the locks, but he was definitely stealing the money. And he got arrested, he got convicted. Got a five-year suspended sentence, but in a first of its kind in the UK, he got an injunction banning him from going anywhere near any coin-operated machines. No. This came with strings attached. So if he wanted to go on holiday and he had to drive his car to an airport, then he could use the parking machine, but for a maximum of 30 seconds, and he couldn't return to the parking machine for a minimum of four hours. This could make life very difficult. So don't let it be a... So let's have a look at some lock-picking thieves. Lock-picking theft brings with it a set of unique issues that you don't really get with other theft. We can say that the vast majority of thefts are forced entry, that's a fact. But the exact number that are done by lock-picking methods, it's kind of fuzzy. This three to six percent, I think I checked maybe seven or eight different police forces. Certain police forces say snapping, for instance, is a lock-smithing technique, or they say it's destructive entry. So this number is really hard to pin down, and there are other reasons why it's hard to pin down as well, which I'm going to go into. So the very nature of lock-picking means that there's no obvious sign. Like I spoke about earlier, you can find signs if you look at it under a microscope, but ostensibly to the layman, you probably have to do it on lockdown, they have the key. Lock-picking is going to feature very low down the list of potential reasons for your house getting burgled, and that's going to keep this number down. The amount of locks that get forensically examined is tiny, tiny. It only happens in the most high profile of cases. So if your shed gets robbed or your house, chances are the police aren't going to spend a lot of money forensically examining that lock, so it's going to go unnoticed. There's also insurance issues. So if you come home and you see that your door is open, everything has been stolen, you don't know what's happened, and people always tell you in this case, smash a window or kick the door in so that the insurance company don't try and worm out of the claim, because that's what they will do. They'll say you must have been negligent with your keys, left them under the mat, or maybe you just left the locks unlocked. Your fault. And again, that's going to keep this number down. Every time that plays out, that's going to keep this number down. You also get skimming, so let's go for a hypothetical here. Let's say there was a thief that could pick some parking meters near his house, and let's say that instead of emptying that parking meter at the end of a very busy day, what if that thief just takes maybe 5% out of every meter and locks it back up? Very often, this can go unnoticed for years. It can fly completely under the radar sometimes. Sometimes it never gets noticed. I can guarantee you. And again, it's a hypothetical. It's a hypothetical. And that's going to keep this number down again if no one notices. And let's say you're the manager of this parking company. You know that the locks have been picked. You know that they've been opened. You know that they've been locked back up again. And you know that the money's been going missing. So your first port of call is going to be someone with a key or maybe someone who had access to the key and copied it. Again, lock picking probably isn't even going to enter the heads. It's going to keep this number down. But I do want to caveat this by saying, again, most thefts are forced entry, so don't worry too much. Lock picking is rare, I don't think it's quite as rare as it's made out. So this is our first lock picking thief. Deacon Brody, this guy was from Edinburgh. His florewit was in the late to middle 18th century. Apparently Robert Lewis Stevenson based his character Dr. Jekyll and Mr. Hyde off this guy. Because by day, Deacon Brody was a pillar of the community. This guy used to organise church fates. He was a town counsellor. He used to bless babies. You know everyone loved this guy. But by night, Deacon Brody changed completely. And he was also a talented locksmith. So his high status in society and the fact he was a locksmith got him jobs servicing and installing locks on rich people's houses. So Brody's favourite trick was before he'd install the lock, very simple, he'd take a key, make a copy, and then at some convenient point in the future, he'd go and rob the house. If he didn't already have a key, he'd use a method of impressioning. So pretty much exclusively, he'd have been up against what we call warded locks. Now this is old technology now. It's not really employed anymore. But how he'd get through it, is he'd take a blank like this one here, or these ones here. These are actually his tools. So he'd take a blank, and he'd put an impressionable material on the side of it, either wax or soot, introduce it into the lock, and turn it. Now it wouldn't open because it was a blank, but when it stopped, it'd leave an impression on the soot or the wax. And when he removed the key, he'd be able to see where he needed to file material away in order to make that key work. This is where we get the term skeleton keys from. So you've removed as much meat as you can off the key, and you've just left the bare bones skeleton keys. Another one of Brody's favourite tricks, this is crafty. You'd often carry a blob of putty in his pocket, and he'd walk around Edinburgh Town City Centre. He'd go into local merchant shops, make idle chit chat, talk about the way that are nothing important. But if an opportune moment arose, he'd take a key, and he'd squish it into his blob of putty, and put it back before he was noticed. And again, he'd go home, he'd make a copy, and rob it at a convenient point in the future. He was quite successful as a criminal, in my opinion. One of his highlights was he stole £800. Again, it was his favourite trick. It was from a bank. He installed the locks, so he had a key. This must have been the easiest bank heist of all time. He'd just let himself in, let himself out with the money. He needed a lot of money, because Deacon Brody lost a lot of money on cock fighting. He had a wife, he had two mistresses, six children. So he was a very busy boy, and he was already wealthy. His dad had left him a lot of money, and they're inheritance. Another highlight was he stole the ceremonial mace from Edinburgh University. This isn't the mace. The mace was never recovered. This is just something that it might have looked like. It's a ceremonial mace. That's not Deacon Brody either. I like to think that this mace is right now sitting in someone's living room in Edinburgh, maybe being used as an ashtray or something. It has to be somewhere. Now, things started to unravel for Brody when his gang tried to burgle the revenues of Scotland. So what this means? Back in those days, money wasn't electronic. Of course, it was all physical coins and notes. And this was the building where all the tax of Scotland was kept. So this was an obscene amount of money. But it went wrong. He only stole £16. But later on, maybe two months down the line, a couple of his gang got arrested for different things. Brody didn't know what they'd been arrested for, so he assumed it was for the bungled heist. Now, as it happens, the two guys never breathed a word to the police about Brody that he didn't know. And so he fled the country, and that did bring suspicion upon him. So he was eventually found here in the Netherlands hiding in a cupboard. And he was brought back to Edinburgh and hanged in front of 40,000 people. But it's not all bad. He has a couple of pubs and a cafe named after him. This is his legacy. I love this guy. Okay, the phone ranger. James Clark, this is the best picture I could find of him. This guy was a tool and die maker from Ohio in the States. At some point during his career, he decided he was going to stop making tools. Instead, he was going to rob from pay phones. Specifically, he stole from the Western Electric pay phones, which were all over America at the time, literally all over America. He often used James Bell as a pseudonym when he checked into CD motels as a way of giving the finger to the phone company. And he was eventually arrested in 1988 in his caravan where he went quietly. Now, these are the pay phones he was robbing from. This is where the money lives. The lock is on the side, and this is the lock here. We're going to have a closer look at this lock. This guy was the only man who ever picked this lock up to this point in time, or the only man who has ever been publicly acknowledged with picking the lock. Now, what makes this lock so secure? Ohio Bell spent a million dollars in the 70s developing this lock, which by 70s standards was a lot of money. This was the days of the $6 million man. $4 million is like his leg, his head maybe. It's the peak of technology. It has a very paracentric key way. What that means is you see these jaggedy teeth. So if you try to pick this lock, you need to maneuver with your pick around these wards, and that makes it difficult. It has eight levers, all of which have false gates, which again makes lock picking harder. There's a common spring. So in most lever locks, each lever has its own spring. This just has one. So what this does, if you lift one lever high, that holds the spring up, and all the other levers no longer have any spring tension on them, so they just flap around sort of uselessly. It makes it difficult to pick the lock. But that's not what makes this lock secure. Other locks have these features. What makes this lock particularly secure is the lever grabber. So that's this big silver thing. So on this side, we can see a locked lock, and on this side, we can see it's been unlocked. And what's happened is this C-shaped stump has gone into the hole here. But more than that, this lever grabber has engaged, and you can see it sort of meshed with the levers, and that stops the levers moving. It makes them immobile. So normal lock picking theory would tell us that we push this C-shaped thing against the levers, and that creates friction, and then the lock picker moves the levers, and it's that friction that tells the lock picker what's going on. That can never happen in this lock, because by the time this gets to here, this is engaged. And so you can put pressure on the levers, but you can never move them. Very difficult lock to pick. It shows you what an achievement it was that this guy could pick this lock. Over seven years, he stole from 32 of America's 50 states. He used to travel up and down into state 40, east to west, east to west, branching off to different towns to steal money. He got high profile. He was on America's most wanted twice, and there was a $25,000 reward on his head for capture. Now, like I say, this guy was the only man ever credited with picking this lock. Now, we can say this because the FBI forensically examined every single lock that was picked, every single pay phone lock that was picked, and they all had very distinctive scratches that were from his tool. But frustratingly, we don't know what his tool looks like. The Feds, obviously, never released pictures of it. And there's no reason to think Clark isn't taking that secret to the grave. He might be dead already, I don't know. He'd be 79 now, and he's never told anyone. I've heard different reports saying it was quite sophisticated, and other reports saying it was made from piano wire and quite simple. I think it was probably quite simple. All the best tools are the simple tools. He earned, no one really knows, varies from between $400,000 to over $1 million, which is $57,000 to $147,000 a year, which is a pretty good earning and change. So if we say he stole, if we're generous and say he stole $1 million, and that the most common coin in U.S. pay phones is the quarter, that's $4 million quarters. Which looks like this. That's... Where do you keep all that? He eventually got caught tampering with pay phones. He got three consecutive one-year terms, so he did three years in total. More amusing than that. He was ordered to repay $802.50, don't forget the 50 cents, back to Ohio Bell. So if we say it cost Ohio Bell a million dollars to develop this lock, then this is a slap in the face. Ironically, modern pay phone locks in America are less secure than the lock I've just shown you. Now, they're not bad locks by any stretch of the imagination, but they're less secure than that one. If you wanted to be a pay phone thief in America now, it would be easier than back then. Let's just say that. Now, for years, I didn't make any progress at all with this lock. For years, I've been trying to emulate this guy, and I've got an example of it here. But recently, I made a bit of a breakthrough. So this is the lock in sort of half-open position. We can see they're at the right height, and this C-shape is entering into the gap. So I've found that you can overlift one of the levers higher than it should ever go. So this is one of the levers that's gone too high, and this little pointy bit on the end of the lever, is a little bit too high. You can see it keeps this grabber pushed back, which then leaves you seven other levers to pick unimpeded, which is still no easy task, but there's light at the end of the tunnel. This actually led to a better technique where I don't have to overlift anything, and as soon as I pick the lock, I'll be the first to let the world know, believe me. Was this how Clark was doing either of the two methods? Was this how Clark was doing it? We can never know. Let's have a look at some prison escapies. We like prison escapes. I love this. I love the way that the guards are just standing there taking pictures, and... This guy looks in quite a lot of pain. Look at this. So this guy wasn't a lock picker, I guess. These are all tools that have been confiscated from an American penitentiary. I love this. It attests to the ingenuity of man. When times are hard, they don't make the most creative things. We can see lock picks here made from knives, spoons, buttons, wire. I don't even know what this stuff is. Pretty cool stuff. This is the story of a Finnish borestall break. This is the Abloy Classic lock. It's a very, very secure lock. It stood the test of time. It's now been around for 110 years. So it's a good lock. But these lads in the Finnish borestall, they managed to escape. They went joyriding. They came back. They did some donuts around the car park of the prison. And then they let themselves back in. Now, the guards assumed that they must have had a key. And they did have a key. But they were never given access to any of the keys at any time. They were never given time alone with a key to copy one. So how did they copy the keys? It's fantastically simple. Pencils. This involves a method that we call sight reading. So if we look at the key again, we can see that instead of up and down cuts, like you get on a normal key, this has 18-degree angles. So you can get quite good at just looking at this key and going out, that's a 2, 1, 0, 5, et cetera. And that's what they were doing. They visually look at the key as the guard used it and make a copy from a pencil. Very good. This is what they use in the USA. So these are called moguls. You can see it's just like a normal lock, but maybe twice the size. I heard that the theory behind making these big locks was that the inmates would have to, therefore, make bigger lock picks, and therefore they'd be more easy to be spotted, which sounds like nonsense. I think being America, it was probably more a case of, being more secure than a lock. A bigger lock! Of course. Can you still pick them? Of course you can still pick them. They are very difficult to pick, but you can still do it. And these are normal tools, by the way. These aren't massive tools, they're just normal lock picks. This is the story of Mr. Doody from 1812. This isn't a real picture of him. So this guy, he was from Wolverhampton in the United Kingdom, and he invented a lock that used the secret principle. So all that means is there was a certain secret to opening the lock, either a hidden keyhole or maybe a hidden button. But as soon as you know the secret, you can open that lock. So this is otherwise known as security through obscurity. And it can work very well on the small scale. If you only have maybe one or two locks in one or two different towns, then no one knows the secret. It becomes a problem when they're mass manufactured using this principle, because, again, as soon as you know the secret, you know the secret to all the other locks. So this guy, he serviced the locks on Stafford Jail, which was useful because he got locked up in the same jail several years later. So, of course, he picked his way out. But he was worried that his family would get in trouble, or maybe he would get a longer sentence if he was caught while on the run, which he probably would have. So he picked his way back in. The story goes that he was sitting in his cell when the guard came round to the roll call in the morning like nothing had happened. And we can't talk about prison escapees without talking about this guy. We're going to come into the present time after this. Don't worry, it's not a complete history lesson. But Jack Shepard is responsible for... Well, we can thank this guy for many subsequent prison escapes, and you'll see why soon. He was only 22 when he was hanged. So, and you can see this guy was only a small man. And yet he was renowned for breaking through strong room doors, for breaking through solid oak floor, but walls, he was good at breaking through walls. He was a lockpicker, pickpocket, vagabond, ruffian, general scoundrel. This guy did everything. Gentleman Jack, as he was known, he escaped from prison four times. Each time he was sentenced to death. But his first escape was my favorite. So, he escaped by wiggling the iron bar on the window, and he used this iron bar to break through the floorboard. Then he broke through two walls. Then he found himself at a high window. And he couldn't get down from the high window without injuring himself. So, can anyone guess what he did? How did he get down from the high window? This is the first example I can find of this ever happening. Yeah, of course. After his cell, he tore strips off his bedsheets, made it into a rope. Jack the lad, as he was also known, his second prison escape was dubbed the sexiest prison escape of all time. Now, this is because he was locked up with his mistress, Edweth Bess. She was a local prostitute. And the guards had learned they didn't leave any bedsheets for Jack to pull the same trick. And yet he pulled the same trick. So, can anyone guess where he got the material from this? Yeah, from Bess. This was in a local newspaper. It's an artist's depiction. This is a lot more modest than I believe it was. She was pretty much naked, in reality. Now, the idea was he was going to tie the rope to one of the bars in the window. But unfortunately, Bess was a little too big to get through the gap. And so, he had to take all of the bars out and lower the heifer down himself, which he did, and then he climbed down the wall. But it didn't end well for Jack. He escaped four times, each time from the hangman's noose. Before he was executed, he was given the option of giving up his accomplices. But apparently when the judge asked this, he scoffed at him and mocked the judge. So that confirmed his death sentence. He had two plans to escape the noose. The first one was he was going to use a lockpick that he had fashioned from a nail. And he was going to pick his shackles at a particular time when the cart was going through London and there was going to be another cart waiting for him. But unfortunately, one of the other prisoners noticed his lockpick and told the guards, what an asshole. So he was hanged. His second plan to escape was he was going to wait until he'd been strung up and then after he'd been hanging for maybe five or ten seconds, a mob was going to rush onto the stage and cut him down and take him to a local doctor to be revived. However, we can see what actually happened. This is Jack going to the gallows saying hello to everyone. Now here we can see like there's this mob trying to get to the gallows, but they never made it, so Jack was hanged. And here we can see his body being given to the mob. Now the mob didn't take his body to a local doctor to be revived. It was more a case of ripping bits off it until there was nothing left. And that was the end for Jack, I'm afraid. He was hanged in front of 200,000 people, which was a third of the population of the whole of London. This guy was a massive celebrity. Bye, Jack. OK, we're going to come into newer times now. 1978. Jenkins and Lee. These guys were political prisoners, so they were distributing anti-apartheid leaflets, but they were doing it using high explosives, so maybe the prosecution did have a case there. But these guys escaped. They had 14 locked doors between themselves and freedom, and each of these was a different lock. So this was a massive achievement. They made the keys out of wood and later on from metal. This is Lee or Jenkins. Here we can see some examples of the keys they used. This one's quite complicated. It's got warding and lever cuts, so they weren't simple keys. But how do you get out of your cell door when there is no keyhole on the inside? These guys, this was the first door at 14. So every prison cell had a broom, and these guys took the broom apart and fashioned like a crankshaft system. We'll show you here. So this is what they had to do. There was a mirror in the cell, and they'd fish this broomstick out of the window and use in the mirror. They would see what they were doing, and on the end, you can see that they had this key, and so they'd operate it from the window. But this still left 13 locked doors. So it shows you what an astonishing achievement this was. These guys weren't locksmiths before they got locked up. And luckily, these guys are still out. They're still fine. There they are today. It's a happier ending. Bury my prison break. Daniel Luther Heiss, this guy got convicted for murdering someone else, him and another man. They wanted this dead man's guns, apparently, which is a hell of a reason to kill someone. He escaped previous to this. In 1991, he faked a peptic ulcer, and he got transferred to the hospital wing of the prison. But he was in a high room, so can anyone guess how this guy got from the high room down to the ground? Sheets! His particular take on it was he ripped some wires out of the wall and intertwined the wires to make it stronger. But thank you, Jack Shepherd. In 1995, he was transferred to Bury my. So when he got there, he met another inmate called Baker. Now Baker was a long-term inmate, and as such, he'd been given certain privileges, which included jewelry making equipment, bizarrely. He was a jeweler on the outside. So him and Heiss got together and thought, okay, let's make a key. Let's make a key and escape from prison. But the really good bit about this story is where he got the key from. So when anyone got transferred to Bury my, they were given an induction booklet telling you how to be a good inmate, what to do, what not to do. On the front cover with a master keys to the prison. Isn't that incredible? So they escaped. Heiss left a message in his cell saying, this bird has flown very cheesy. Baker got injured climbing over the second wall. He hurt his leg, so he got recaptured after 24 hours. Heiss was on the run for 12 days, but again, he got recaptured. But both of these guys are now out of prison. Heiss, this guy's a landscape gardener and an artist. This is an example of his artwork with the rainbows and the dragons and the eagles. I'm sure you can find him if you want to buy one of these prints. Okay, let's have a look at some secret locks and secret tools. This is the Chubb Custodial 3G222. So this is a prison lock, again. The big thing about this lock is that you can't do what I spoke about earlier with the Finnish guys. You can't look at this key and tell what the combination should be. Chubb boasts that the magnetic key is impossible to read or duplicate using normal senses alone or duplicate with standard workshop equipment. Now, I don't know about you, but that sounds like a challenge. But I've never seen this lock for sale. Chubb are really very good at keeping their more sensitive locks under wraps. If anyone has one of these for sale, I'd be super interested. This is another Chubb secret lock. It's not secret anymore. The Chubb Manifoil Mark IV was used by the UK Ministry of Defence to secure whatever you secure in safes, so documents and sensitive items. It's called the Manifoil, which stands for Mani Manipulation Foil. So it was designed from the ground up to stop you from opening it unless you knew the combination. It includes rumble strips. So have you ever seen the old movies where a guy will have a stethoscope and he'll be listening to the safe? That's actually a legitimate technique if you know what you're listening for. But this has these little rumble strips that deliberately make noise, so you can't use that. It also has lead shielding, this circle here. That's the lead shielding. And that was to stop X-ray attacks. So if someone came along with their portable X-ray device, you know the ones. And tried to get the combination. That stopped it. It also had crazy strict controls. So if you were a Chubb safe engineer and you were called out to go and work on this lock, you could do it without having someone supervise you at all times. There was also always a chain of custody on the parts. So if you took a dial or a disk or anything from Chubb, you had to sign it out. So everybody knew at any given point in time who had what parts. And there are no public successful manipulations of this. That's not to say it's impossible. I've heard rumours of people picking it, but no one's ever done a YouTube video to sort of prove it. But this has been declassified for a few years now, so it's only a matter of time. And this wasn't the end for the manifold. We'll leave that there. NATO Merzy Locks. So this was used by NATO countries again to secure documents and so forth. Instantly we can see that it doesn't look quite the same as most lever locks. You've got this sort of V-shape to the key. And the idea of this is so you can't just get a blank and maybe impression the lock. You have to manufacture your own blank, your own key, which makes it more difficult, of course. It has 14 levers. All the levers have false gates, which is a lot of levers to pick. But that's not what makes it secure, but it's not what makes it ultra secure. So this is quite unusual with a lever lock. You can see we have these two silver parts here. They're the stumps. So the idea behind having two is if you tried to drill a lock and drill one of these stumps away, the lock is still going to stay locked. You'd have to drill both of them away, which doubles the attack time. And again, this is another lock that's never been publicly picked. Oh, I forgot to mention the other cool thing about this lock. If you try and tension this lock, so if you try and push these silver stumps into the levers, what happens is the levers move away, so you'll move the stump and the levers will move away. And so you can't get that friction. Very cunning way to stop people picking it. And again, I've heard rumors that maybe it can be picked, but no one's ever come forward and publicly admitted it. This isn't a secret tool. This is a seven pin tubular lock pick. It's for these locks. I'm sure we've all seen these locks everywhere on vending machines and cash boxes. Now, why I like this tool so much is because of how effective it is. So now it's time to pray to the demo gods. I have one here. This is a very common lock that's used for securing multiple items of electronic equipment. And we're going to see how fast this tool can work. So if we get it ready, I'm going to reset it just so you know I'm not cheating. Okay, ready? Hold on. Oh, demo gods, what have you done to me? Let's try that again. Obviously, it doesn't always work first time. There we go. Now, that was second time. That was like using the key, almost. So you can see how frighteningly effective this can be. Now, not every tubular lock picks this easy, but the cheap ones do. And this is a cheap one. This is a cheap one. So don't use that to secure your laptop is the moral of this story. Now, this tool uses a self-impressioning technique. So what that means in a nutshell is that this tool allows the lock to pick itself. It takes very little skill from the user and it happens very quickly. But it wasn't long before lock companies realized that this tool was out there. They started changing their designs. This is Baton's attempt at foiling this very tool. And I think this is a good attempt at foiling it. So one of the big things about this lock, instantly, you'll see it's got six pins instead of seven. So that tool needs to have its little arms in different places. So instantly, that tool doesn't work. Another big thing about this is it's field-recayable. So what that means is you can change the lock without actually physically removing the lock. So if you are worried that maybe the key has been compromised, maybe someone's copied it, maybe someone's stolen it, you can come along with a change key and move it to one of these other numbers and then the original key won't work anymore. They also put this shroud around it, the big hunk of metal. Now what this does is it excludes that pick from fitting in. You need a pick that sort of looks like the key here. So it needs a thin stem. You can single pin pick this lock and you can self-impression it too, but that shroud makes life very difficult. HPC are a tool maker. They did make a tool that opened these a long time ago, 30, 40 years ago maybe, I've not seen it for a long time. But this is a good example of how to stop that tool. This is a bad example. This is Camlock Systems' effort. So can anyone see what Camlock Systems did to stop that tool from working? I've highlighted it in red just in case it's not immediately obvious. They changed the circle to an octagon. And that's it. This was the whole model of security for this lock, was changing the circle to an octagon. That's simple. So this does stop the tool from fitting. It won't go in. Those little sharp corners stop it working. But luckily it's a very cheap and nasty lock. There's nothing stopping you getting direct access to the pins and single pin picking it. And it does self-impression too very easily if you had the obvious tool. So how do you think you might modify this tool to work in this lock? Do you think maybe if we change the circle to an octagon that might work? Well obviously, yeah, and it does. But this tool doesn't exist. Now I found this really crazy. I thought, well, if I can see the obvious tool, surely other people can. And other people did. This is a way that lock makers keep tools secret. It's quite an outdated method, but this is how they do it. So I was on key picking, which is a really cool lock picking forum on the internet. Now I put a post up saying at some point in the future I would like to make tools for this lock and this lock and this lock. And their lock, that one I just showed you, happened to be in that list and that was all. Their lawyers saw it, didn't like it. They got on to key picking's owner and threatened him with prosecution if he didn't give up my IP address and any other identifying information. And their intention was to serve a cease and desist order on me in order to get this prevent potential future patent breach. Now that covers everything, doesn't it? Potential future patent breach. And then I found out, they've done it before, they've done it several times, well, I know they've done it several times before, so they've probably done it many, many times. I've spoken to several tool makers from the UK and they've all said the same thing. They've said they've either made the tool or put the tool onto the internet to sell and every time Camelock systems have jumped on them and said, no, you're not doing that. And I get why they do it. They do it so you can't get an off-the-shelf tool that opens their lock. So I understand it. But this is security through obscurity again. And the problem is this lock is everywhere in the UK at least. You'd think if it went to court that they wouldn't have a leg to stand on. And a lot of the guys I spoke to said they would have loved to afford it. But nobody wants a long, expensive legal battle with a lock company. And then I noticed the Camelock systems had tried to patent the obvious tool. And here it is. You can see they've changed the circle to an octagon. Now, the reason they did this is a little fuzzy. I don't know the intentions behind it. Maybe they wanted, in the future, to make this tool and sell it to locksmiths. But that isn't what happened. I think it's more likely this was a purely defensive patent. They never intended to make this tool. They just had the patent ready so that if anyone did make it, then they could jump on them and say, no, that's not happening. And then I found out it never actually got granted. But whatever reason, the patent for the tool doesn't exist. I tried to patent it and it didn't work. So maybe they wouldn't have a stand-on after all. Now, like I say, this is an outdated protection method. It's been used many times in the past. But now we have the internet. Your secret can be everywhere in a matter of a day or two. And this wouldn't fly in digital security. If Microsoft make Windows 28 and any old fool can look at it and go, oh, I can just change an existing tool and totally subvert their model of security that either have to patch it extensively or change everything from the ground up. And this is what we want. We want security through design, not obscurity. And this doesn't help anyone, this type of behavior. All it actually does is keep the vulnerabilities inherent within the lock. It keeps them there. This is another tool that was secret once. This is the Sputnik or Yugoslav. I think that's how you say it. It was invented by Mladen Perchich. This guy was a Yugoslav burglar who was stealing things in Germany. It's a really cool tool. You can see that you have these five little wires and each one of the arms moves one of these wires independently. So it's like having a movable key inside the lock as you pick it. You can buy these now, but they're not cheap. This is Abloy Classic. I said we were going to look at this lock again. So sometime in the 70s, a Finnish sex pest made the Vempele, which is this thing we can see in the bottom right corner. All that means is thingamajig or contraption in Finnish. This guy, he was picking the front door locks on young ladies' houses, hiding under the bed, and then waiting until the middle of the night before he'd come out and attack them. So he wasn't a nice guy. He got caught. The Finnish police wouldn't believe that he could pick the locks until he demonstrated it. The first example of Abloy Classic being picked in 75 years. Before Hanne was a reward, Abloy were giving a one million fin marks reward if you could pick this lock, which doesn't exist anymore. I could use a million fin marks right now. And this forced Abloy to change the design of the tool. So this tool was using this front disc to tension the lock. Abloy changed it so that front disc just spun freely and you could no longer use it to tension the lock. And since then, it went unpicked allegedly. So as soon as I heard about this, it became like a locksmith in ambition, more of a locksmith in obsession. I didn't work on it for six years constantly. It was often on making prototypes, realizing it didn't work, repeat, rinse, repeat. And then I settled on a design that I thought might work, but I realized I couldn't make it by hands. I needed something more accurate. So I saved up for a year to buy this million machine. And to cut a long story short, it worked. Here's the tool. You can see two examples over here. I'll have it with me if anyone wants to see it. There's the lock open. No way. This is the good bit. I was really happy. But then within three weeks, a friend of mine got in touch and said, oh, I see your tool. It's for sale on that popular locksmith supply website. And I was like, I don't think it is. So I went and had a look. And it turns out when I spoke to the owner of the website, this tool got developed eight years previously by an unknown government agency. And for eight years, it existed and been used in complete secret. And then once they saw mine on the internet, they realized the secret was out because it's almost identical. They realized the secret was out and they declassified it to sell it publicly. So I'm not interested in reinventing the wheel. If I'd have known that this tool existed all those years ago, I wouldn't have bothered spending so much time and effort and money in making this thing. Who would? Who wants to spend that much time copying something, essentially? And so I found it a little vexing is an understanding. See, it was a little more soul-destroying. But this led me to make it better. I used what I'd already learned to make the tool better. So I'm going to show you the video of that tool. I'm not going to show you the tool itself because I'm not risking a repeat of before. But here it is in action. So this is me zeroing the discs. This is the tool going into the lock. This is the tool doing its magic. See how long it takes. Is that open? 13 seconds. Yeah, that didn't work, did it? Thank you, PowerPoint. Okay, let's have a quick look at some of the stars' declassified tools. Thanks to ArtemEister for letting me show these are his tools. This is quite an interesting one. We have these six plungers, each of which operate one of these six little arms on the end. And once you've picked the lock, you've got the thumb screws that you can then tighten down and it'll act as a key. The stars, they didn't invent this method, but this was their take on it. So this is a comb pick. It's not really a lock-picking device. It's more of a bypass tool. So instead of lifting these pins, see the gap here in the pins? Gap, gap, gap, gap. Whereas this tool lifts everything up high, high, high, so that there's nothing here stopping the lock from opening. It's actually quite an old technique. This is a picture from a patent from 1934. So it's older than the Starzy, but this is quite an interesting take on it. This brass box, this is for using this tool one-handed. So the end here sort of slides in and out, and you can slide it out, and it looks anyway like you're using the key. Very sneaky. This is another tool I developed maybe three or four years ago. It's for picking lever locks. And you can see there are four little ends here, and each one moves independently. Now I was really proud of this, and once again, as soon as I saw the Starzy tools, I realised that it had been done better 35 years ago. This is a five-in one. Is there anything unique left to build, I wonder? Can anyone guess who this belonged to? This is a make-up key. What this means is you can change the little bits on the end to form any key that you like. Can anyone guess? Anyone seen this before? No? Harry Houdini. He was a great lock picker himself. This is one of his tools. And every so often on the internet, you get some mad tools pop up. This isn't a secret tool, but I'm not really sure what it does. Any ideas? A bit of a plug. And from the ridiculous to the sublime. Look at this. How nice are these? So the story about these was a couple of months ago on the subreddit, lock picking subreddit, some guy posted this picture and said, does anyone know how these work or what they're for? And within 24 hours, he'd deleted the post and he'd deleted his user account. You only have to look at these to see that these are scream government at you. Really. I'd love to know how these work. There's a bit of wire here. What's that for? And finally, let's just have a quick comparison between the digital and the physical world in terms of security. So in the digital world, we have Vault 7, WikiLeaks, Snowden's work that expose secret government digital tools. There's nothing like that for the physical world. No one's ever released a database of pictures of physical tools. The closest we ever get is when lock companies refuse to acknowledge that a vulnerability exists and so someone might put a YouTube up shaming the lock company. In the digital world, we have formalized structures for declaring vulnerabilities like bug bounty programs. Again, there's nothing like this in the physical world. In my experience, lock makers tend to want to know the vulnerabilities and give you nothing more than a pat on the head as compensation. It's not a thing in the physical world. There's a huge number of researchers looking at digital problems. Relatively, it's a growing number in the physical world, but it's tiny in comparison. And if you find a problem, nowadays, most software can be patched remotely. How do you do that with a lock? If someone finds a vulnerability in a lock and there are 3 million of those locks out there in the world, the lock company isn't going to be interested in going and replacing all those locks. That's going to cost money. They don't care about that. So I suppose, from that perspective, vulnerability, disclosure is a lot more of a pain in the ass for the physical world. But I hope one day that the physical world will catch up with the digital world. I think they have to copy the model at some point, because we've got the internet now and information is so freely available. And hopefully, that's where things will go in the future, fingers crossed. That's it. We're done. Thank you for listening. I kind of feel scared now. Don't be scared. I mean, if a government wants to get into your house, they're going to do whatever. Are there any pressing questions? We have about 2 minutes left for questions. I think you can ask them directly afterwards. Three hugs afterwards. I would say, if there are any more questions, there's a lock picking village. You can always find me in the lock picking village. I've got a selection of my tools with me. If you want to talk about it, I don't mind sharing it. Okay. So please, another round of applause for an awesome talk.