Much has been made about LPL s and his astonishing skill, but I’d like to briefly mention my appreciation for LPL the showman.
I really think the style and format of his show makes it so incredibly watchable. I love his voice, the delivery, and the way he so articulately breaks down how he thinks and approaches problem solving. He really makes you feel like you could do it too.
It’s very subtle but as a showman he’s one of the alltime best on YouTube.
In one of his videos he explained his process with videos. He wants to rule out the possibility of deceptive editing, so he only includes takes done in a single shot (at least for the portion where he demonstrates the technique). As a result, he keeps things short, as that reduces the chance of misspeaking and having to reshoot.
That makes me wonder if LPL had launched the channel today would the YT algorithm even allow the channel to surface in the recommendations anywhere? non-edited, succinct, no-cringe thumbnails or no click-bait title seems like top of the blacklist filter for YT.
Good to know, But LPL would have still had over 2 million subscribers a year ago, I'm talking about someone who starts a YT channel today and makes such videos.
> And the fact that he doesn’t surround his videos with tons of cruft to make them longer.
Unlike most full-time Youtubers, LPL does not need to pad out videos or pander to sponsors to make a living, and he doesn't need to engage in clickbaiting and SEO/algorithm manipulation to lure new viewers. This independency from anyone else is what allows him the complete artistic control to do videos the way he prefers.
Indeed, it's all about incentives. He said during the keynote that his goal is to get the word out and change locks for the better. So far he's seen more incentive to get views than making money on the channel.
This will not always be the case. Given his goals, the channel will change as his priorities shift. When he reaches his goal "everyone is aware that locks suck", his next goal is "change locks for the better". This will involve designing and selling locks and pointing viewers towards better locks in a commercial way.
> This will involve designing and selling locks and pointing viewers towards better locks in a commercial way.
Designing and selling his own locks on his own store would not be too different from his current business model of selling lockpicking tools.
Pointing viewers towards better locks on a commercial way is something I cannot ever see him doing. For one, he already points out there are some locks he cannot pick (IIRC some Abloy models). But especially: LPLs authority is directly derived from the fact he's impartial and unmotivated by financial decisions. Taking money for lock recommendations would completely compromise that impartiality. It's similar to amateur nude models on Reddit and the "OnlyFans hate" - in the eyes of many viewers, once the line between "they are doing what they do for fun" and "they are in it only for the money" blurs, the attractivity fades.
What I do can see LPL do in the future - with far better chances of profit for him - is sell consultancy services and reviews to lockmakers. That would both fit his goal of improving the lockmacking business as a whole and net him a hefty chunk of money, without compromising his outward image.
Monetization models are interesting. In most amateur's case it seems to start out as "for fun" and then flip to "for money". Instead it's simply a gradient of incentives, whether acknowledged or not.
As cryptocurrencies and other models increasingly securitize everything, I wonder what will happen to the "amateur" market. As viewers we get so much free benefit from the hard work of amateurs.
Eh locks are only as good as the doors they're attached to. Any healthy adult male (and probably determined females) can kick and shoulder through a typical door, especially on suburban houses.
Shouldering/kicking through a door is made to break the door at the hinges (unlikely), or the lock. An adult made that tries to kick through the body a door and break it open will take several minutes, at the very least.
Unless the frame is metal or otherwise reinforced, it's not overly difficult to split the frame where the lock pockets are with a couple of good "donkey kicks".
You'd be surprised how quickly you can kick a door down when your psycho (ex) girlfriend deadbolts your door and says she's going to burn your house down because you are evicting her.
It is interesting (read: irritating) to me that YouTube never puts his videos in my algorithmic feed. Every other channel to which I subscribe gets woven in but I had to actually click the bell icon to get notified of new videos for his channel.
He’s also the only YouTuber I’ve ever bought something from. He does a great job of using the things he sells in videos to demonstrate their value and he’s not overly pushy about it like many other creators. He’ll simply mention that the tool he uses is one that is available for purchase from him, no different than mentioning the names of other tools he uses. It’s an ingenious and very effective sales pitch.
From years of experience of being around Lawyers, many of them seek the need to say things in the most unnecessary complex and impersonal ways. Lawyers are often terrible communicators.
I think it can help make ambiguous statements more robust and complete. "I wasn't there" instead of "I was not at the location stated at the time recorded in the complaint".
I sometimes use it if I'm discussing something with someone who likes to nitpick small details that aren't relevant to the main point of the discussion. It can help you railroad a discussion down a particular path. That makes me sound super rude but it's more of a defensive communication device in that circumstance.
This. When dealing with legal stuff, it's very easy to commit verbal mistakes that can sink your case - in Canada, they passed the Apology Act of 2009 for that reason.
Also, he doesn’t start off being able to pick X lock in two seconds or whatever. He fiddles with things a while until it’s optimized. That is what makes it entertaining as well. You don’t have to sit through the whole process. He usually notes anything interesting that came up. Mostly you get results.
If you watch LPL enough, you get the notion that most locks are for keeping honest people honest rather than stopping a determined attacker. All the comments from people who have managed to lock themselves out further reinforce that.
Well, there's a selection bias in LPL's videos: If he can't pick a lock today, he doesn't make a video until he can.
But you're right at a higher level: 99% of buildings have glass windows. Paying $$$$ for locks that go beyond "keeping honest people honest" is pointless if they can be bypassed with a rock.
Bump keys are the simplest way to bypass common locks. You can make one in a few hours and it’s pretty much universal.
Most doors aren’t that strong. You can’t pick a lock but you can just knock the door in.
If you can’t knock a door in, try a window.
House has a security system? Get a ladder and go to the second floor. Most security systems are only installed on the first floor.
Or cut the phone line outside the house as that’ll disable the security system entirely (unless it’s wireless).
If the security system has a combined control panel and main board, just run in and smash it. Good systems separate the control panel from the main board to delay the burglar finding it and allowing the system to call for authorities.
Basically locks, security systems, cameras, reinforced door frames, and protective film on windows are just delays, not preventatives. The idea is to delay the burglar enough such that they either get caught or so they decide to hit the next house without as many obstacles.
> You can’t pick a lock but you can just knock the door in.
A knocked-out door has the disadvantage of being noisy and visible - random passersby may spot either the act or the result and alert the police, whereas most won't even spot the difference between someone using a legit key and a comb key.
The more time passes between the burglary and the discovery, the better for the burglar - if you're already two counties away when the police establishes local roadblocks these won't catch you, CCTV camera or ALPR records get deleted, phone tower (=which phone was logged in at a certain time in a certain area) records grow bigger and harder to sift through, potential witnesses forget details.
Bump keys aren't quite universal. There are different keyways. Plus, not all locks are pin-tumbler locks.
Also, this I'm not sure of, but I think some quality pin-tumbler locks are bump-resistant.
That's all true, but what's interesting is how ubiquitous the worst pin-tumbler lock design is. (I'll be honest, I never shopped for a good lock either! I've only bought one extra lock for an apartment once, and didn't care to get anything but the typical kind!)
The LPL is really similar to a lot of us, complaining that "right-click isn't really hacking, view-source isn't really hacking, come on your system is trivially broken" but about the locks practically everyone uses.
We also complain about companies marketing Super Military-Strength Proprietary Encryption but basic key management not making sense ... similar to how LPL likes to get the Pro Max Security big beefy trailer/fence locks and show how they have some of the same trivial design bugs as the cheap locks.
Last time I called a locksmith to let me into my house (me losing my keys and locking myself out is a somewhat frequent occurrence) he didn’t even bother trying to pick it. Just took a few plastic wedges and used a rubber mallet to hammer them in between the door and the frame and the whole thing popped open. Took maybe 5 seconds.
Of course, you can reinforce your door frame and this doesn’t work. But the next locksmith (like I said, regular occurrence) used a bump key to pick it and was in just as fast.
Needless to say, I don’t trust door locks anymore.
The simplest were the old car-jacks that you could put sideways across a door: a few clicks to expand the jack and you could push the door frame out of linear enough that you can swing the door right open — lock catch no longer reaches.
This is my go-to technique for lockouts (I'm a firefighter, we'll get called for more "urgent" lockouts... a young child still inside, something on the stove, etc).
There are plenty of custom made tools on the market that do a great job (with built-in pads to protect the door frame, etc).
The only issue they commonly run into is a deadbolt with a throw long enough that you have to destroy the jamb and surrounding frame before it comes free.
Is this technique non-destructive and the frame returns to its original shape? From the description it sounded like it'd be way worse than something that destroys the entire door.
Ideally, yes. Wood is surprisingly flexible. Generally the worst that happens is that the paint cracks at the seams between the frame and the trim, or the jamb.
In cases where the deadbolt extends significantly into the frame, then yes, it tends to be destructive. But doors with locks that substantial tend to be sturdy enough that brute forcing the door in any fashion (even if you're just attacking the door itself) is likely to damage the frame.
There are options for "through the lock" forcible entry, where you attack the lock directly, using something like a Rex tool[1]. That will definitely destroy the lock, but usually preserves the door (but isn't suitable for every type of lock).
You're just bowing the framing out enough for the bolt to clear, so maybe 1/4" inch in each direction. The studs will pop right back, but you might need to re-align the hinges or the bolt plate after.
I had a friend who had a car with different keys for the door and the ignition, and he lost the door key. I fashioned a coat-hanger wire into a tool to slide down the window and unlock the door.
By the time he got a replacement key, I was literally faster at opening the door with my tool than he was with his key — once you get the knack of it...
(of course the tool was much more clumsy to carry around than a key, and 2 seconds vs 3 isn't enough to care)
My new door has a mechanism where you first have to pull the handle up to engage this hook-like bolt and then lock the door with key or knob. I thought it was a bit tedious but now I finally understand the purpose. The bolt would prevent the door from being pulled apart from the frame easily.
I saw a video where someone was opening doors with a hydraulic thing that moves heavyb things up (I do not know the English word for that, an inversed press).
You find a strong pint to lean on (a wall, or the ground) and the door is forced open in a matter of seconds (something gives away, hinges or lock).
This is why my lock is a smart one, to make it easier for people to get in (the ones I want to) and I know that a burglar is not going to analyze the emission spectrum but just force my door open.
I would definitely prefer him to use technonoly and not break my door.
I'd sooner get door jam reinforcements for this reason. For everything else, there's alarms. Some are meant to detect windows breaking, but motion sensors are also a good catch all. Security-film on windows also makes breaking them more tedious.
Glass break sensors are almost never installed in residential homes; motion detectors are a lot cheaper, easier to install and more effective since a lot of attacks against windows don’t involve breaking the glass.
Most professional locksmiths can't even pick locks, let alone any successful former thieves I have known. You will rarely see either not go directly for a destructive entry method even when trivial bypasses are available if one had bothered to research.
Lock picking is basically only found among the locksport community.
You have to realise that LPL has a very specific set of skills. Skills he has acquired over a very long career. Skills that make hom a nightmare for people like masterlock.
I had a locksmith out a couple of years ago, and was very disappointed when he simply got out a drill rather than starting with 'click out of one'.
I feel like this comment comes up every time LPL is discussed outside of his context and I think it discounts the hundreds of low / no skill attacks he has demonstrated which apply to many, probably most, of the locks with recognisable name brands that are for sale in brick & mortar stores.
It took me 30 minutes to make and use a tool that he demonstrated using on a lock similar to one I own and most of that time was spent rummaging around my place trying find stuff.
Lastly, I think you got taken advantage of by a locksmith out to sell more locks and keys.
The biggest part of the LPL skillset is his knowledge about all the low-skill attacks that exist, and which locks they work on. Low-skill attacks are only effective if you know about them, and remember which locks each exploit applies to.
The only low-skill attack that seems to have any widespread effectiveness (and would therefore be worth trying on every lock) is raking, and that is pretty easily defeated by any lockmaker who cares.
I believe that "low skilled attack" also includes the ability to search the internet and watch a video. There are literally thousands of videos on YouTube with demonstrations of low skilled attacks using improvised tools.
For example I made a shim and opened a lock I own in less than 30 minutes after watching one of his videos that featured a similar lock. I had never opened a lock without a key before that day, don't have much use of two fingers on one hand, and my toolbox fits in a kitchen drawer.
For your list of common low skill attacks which have widespread effectiveness I would also include shimming, hammering, and cutting. Also in the case of locks with electronics associated with them, strong magnets.
He is also a very skilled SPPer which he will frequently demonstrate. He mentioned in the video the reason he uses so many low skill attacks is because they work so well on locks people *care* about.
The locksmith drills your lock because it takes no skill and allows them to sell (or forces you to buy) a new lock and set of keys at whatever weird time of day it happens to be. The price is almost certainly going to be higher out of normal hours. Plus if he picks the lock in 30 seconds you may not pay such a high fee.
> Plus if he picks the lock in 30 seconds you may not pay such a high fee.
A story I was told once by an electrician who worked at a steel works for years.
The story goes something like this:
One day he was called out to a big engineering workshop, all their fancy new equipment is on the blink.
He walks up to one of the machines, has a look, then without saying anything promptly turns around and walks outside, followed by the curious manager.
The electrician circles the building and turns on the first tap he sees, and lets the water flow for a few minutes spilling on the ground. After leaving that go for a while, he turns the tap off again, and walks back in and tells the machine operators to try again. Magically, they all start working again.
The electrician has been there for barely a few minutes and hasn't even touched the machine or anything else electrical.
The manager asks for an explanation, since the electrician didn't even touch anything electrical. By way of response, the electrician says "You had someone fix that tap outside that was leaking, didn't you?" the manager replies in the affirmative. The electrician then explains that the leaking tap was keeping the building grounded - the slow leak was just enough to keep the sandy soils moist enough for a proper earth connection.
The electrician hands over the bill, with the emergency callout fee and minimum hours, etc.
The manager protests that surely just turning on a tap didn't warrant a fee that large.
The electrician replies that turning the tap on was free, knowing to turn the tap on was what they were paying for.
Whether that story is true or not, there's plenty of similar ones.
The point is that while you might get annoyed that an expert came in and solved the problem quickly, without that expert you were going to wait a lot longer or spend a lot more trying to fix it some other way.
Personally, I'd rather deal with a locksmith that gave me the option:
We can drill the lock, you can pay (say) $300 for new locks and keys and it'll take 30 minutes.
Or, you can pay $300, we'll pick it in a minute, you keep your existing keys.
The locksmith I called a few years ago used a long piece of wire with a string attached, slid it under the door to pull down the door handle from the inside.
This seems like a variation on the old story about Steinmetz, the Wizard of Schenectady, making a chalk mark on a generator at a Ford plant. Which seems to be a true story, although often not attributed. The punchline to this one has always been Steinmetz's itemized bill, of $1 to make the chalk mark and $9,999 to know where to make it.
I locked myself out one night and called a service. The guy showed up and asked if I wanted a show, or the door open. I said open the door please. He did in about ten seconds and I gladly paid full fare for the work.
Spoiler: he leaned on the door to hold the latch in place, then used a plastic shim to trip it open.
I would probably (mentally) look down on the locksmith if he/she just going to drill it out without trying anything else first. I own a power drill too and I know how to use it to break a lock myself with zero knowledge on how lock works (for some weak locks, even a flat head screwdriver is enough to get it done).
On the other hand, if the locksmith clicked my lock out in just 30 seconds, I would probably ask him/her to sell me a better (and sometimes more expensive) lock based on his/her professional opinion.
If we're really going for the detail.... well, my neighbor is a contractor, he owns multiple almost-dead power drills with unlimited supply of dull bits (enough to get the door open). If that's not an option, there are few hardware shops within my walking distance where I can by a new cheap power drill as well as a cheap lock. And if I really messed it up, there is a market for home renovation supplies not really far, they sell doors with comes with lock.
Now that I thought about it this deep, I think I can be a locksmith too with all the nature advantages that I clearly have here. I don't even need a power drill, a battering ram is well enough for my job. And if somebody call me to open their door, I'll just ask which color they would like for the new door that whey about to own.
A locksmith (or interested individual) can rekey a lock. The pins and keys are the cheapest part of the lock too, which is a contributing factor towards why locksmiths lean towards destructive entry. They get to be lazy, the method can't fail and make them look stupid in front of a customer and they get to offer you a sales pitch on buying a new lock right then and there.
Honestly, when it comes to most US locks, they really are a joke.
I learned to pick my parents safe and door locks by 8, and have taught dozens of children to pick virtually every lock you can find in a hardware store.
As a security engineer the first thing I teach peers isn't even software, but lock picking.
Peoples minds really open up when you show them how to open every lock in their own office in under an hour of training.
"Is security on almost everything we trust every day really this shit?!"
Thank you for this insight. I will forever advise anyone interested in getting started with computer security to learn lock picking first. Having done both In the other order id never thought of how insightful it is for fully realise the fragility of the illusion of safety as it exists in the real world as a better grounding for anyone about to learn the fragility of everything in the more complex and more abstract digital world.
> I had a locksmith out a couple of years ago, and was very disappointed when he simply got out a drill rather than starting with 'click out of one'.
That’s a common occurrence because of the incentives. The locksmith wants to spend as little time as possible (average time), and doesn’t pay a premium for destroying the lock, since most people don’t confront them on that.
LPL is amazing, but any decent locksmith could get at least near enough him in competence. It’s not that it’s so hard that very little people can do it, it’s that is very niche for most people to learn.
I bet most locksmiths are the drill and replace type and could not pick a lock reliably anyway. Locksmiths are taught how to dismantle and remove a lock these days rather than how a lock works and therefore how to beat it.
After thinking about this, I realized it makes a lot of sense given what LPL is saying.
After all, if you spent a fortune in some lock and the locksmith can open it in 5 seconds flat, you’ll feel ripped off. It’s possible that a lot locksmiths believe the locks to be safe, and they think they’re saving time by going the drill route.
Not to mention that if the locksmith is selling you the lock, he will want to avoid damaging their reputation.
Also if you actually watch this keynote half the problem isn’t locks you can actually pick but stuff you can just open with very basic tools that don’t even require the skill he has. Like combs, rakes, hammers, slithers of metal, etc.
Going by a presentation from a professional pen tester lock picking is usually far down on their list because there are easier ways to open many doors without picking the lock.
You have to excuse that I didn't watch the video, so i might be missing some context.
LPL's career isn't lockpicking is it? I was under the impression that it was just a hobby that turned into a youtube channel. I seem to recall him saying that he just picks locks all the time, and that's why he's good. I think he said that when he watches movies he takes a 30 locks and then he just sits there and picks them while watching.
It wasn't (he used to be lawyer) but he's won lock picking contests, apparently has a gargantuan collection of locks some of which he habitually practises on, and these days runs a company that sells lock picking tools (though I have no idea if that's his only gig).
Anyway, if you watch all / most of his videos the near constant refrain running through them isn't "with finely honed skills and the right hard to find speciality tools it's easy to open this lock" (though he does do that). Instead it's: "it's easy to open this lock with no or few skills, no or little practice, with trivially found, improvised, or purchased tools, using exploits that have been known in the lock manufacturing and locksmithing industries for decades or centuries".
That in turn is his point in this keynote. These exploits have been known in the lock manufacturing and locksmithing industries for decades or centuries and yet many, perhaps most of the locks that people can buy in stores, still have those flaws (which are easy and inexpensive to eliminate in the design and construction process).
Locks are worse than you think. I'm not skilled, I don't practice, but I've been able to get my parents back in their house within 5 minutes both times they've locked themselves out.
You call out masterlock but they're particularly bad. I lost the key to one and kept using it for a year because unlocking it was as simple as just putting the pick in while turning.
I encourage you to try out locksport as a hobby. Pretty much anyone can learn to pop open a masterlock padlock in 30 seconds or so with maybe a couple hours practice. Don't get me wrong, he makes even really, really hard to pick locks look easy, but that doesn't negate the fact that a lot of locks are just actually easy.
The locks I am most impressed with are from the days of alcohol prohibition. Some doors to speak-easy's looked like part of the wall, had no key holes. Rather just small holes all over the "wall" and you had to poke a piece of metal through the right holes and push/pull the wall in a known way. No windows, no appearance of a room, just a wall. The stairs leading down to it would usually go right past the "door" into a basement storage room with nothing exciting to see. The cops could walk right past the door a thousand times. It might be fun to build a home like this. I suppose you just have to design it so people can not see where you actually entered.
I honestly don't know if there is a name other than "custom pinhole latches". These were all custom made as required. I am not aware of a business that creates anything like this. You can find documentaries on hidden speak-easy's online but I don't have any links handy. The most prevalent implementations of this setup were in New York City but other big cities had them. I want to say the concept dates back to mid-evil times.
So the interesting thing is that nearly all home insurance policies stipulate that you're only covered for theft if there are signs of forced entry - but clearly, any lock can be picked without leaving a mark. So I'd assume either these policies are a scam, or actual real world thieves are not very good lockpickers and a good old crowbar is simply faster and easier.
Unless they stole your gold brick collection, no insurance company is going to dismantle your locks (all of them) and send them for forensic tests. Nor would they accept your hired expert opinion. Such procedures are only rational in extreme cases.
The marks you’re looking for are on the sides of the pins, where they get jammed against the barrel. The Lishi doesn’t help that much in preventing this damage
Huh that is very interesting. However I suspect that unless the door was actually damaged the insurer would just go "yeah you didn't lock your door, no claim for you" - I guess you'd have to pay to get your own lock forensics done.
Yeah, the insurance company isn't going to go out of its way to prove they should pay a claim. But it could be useful for a claimant trying to get compensated.
Source please? Standard HO-3 policy defines theft coverage as
9. Theft
a. This peril includes attempted theft and loss
of property from a known place when it is
likely that the property has been stolen.
b. This peril does not include loss caused by
theft:
(1) Committed by an "insured";
(2) In or to a dwelling under construction, or
of materials and supplies for use in the
construction until the dwelling is finished
and occupied;
(3) From that part of a "residence premises"
rented by an "insured" to someone other
than another "insured"; or
(4) That occurs off the "residence premises" of:
(a) Trailers, semitrailers and campers;
(b) Watercraft of all types, and their
furnishings, equipment and outboard
engines or motors; or
(c) Property while at any other residence
owned by, rented to, or occupied by
an "insured", except while an "insured" is temporarily living there.
Property of an "insured" who is a
student is covered while at the residence the student occupies to attend
school as long as the student has
been there at any time during the 60
days immediately before the loss
My policy from a large building society in the UK has an explicit section for cover for theft /not/ using force and violence, but it doesn't apply if the house is lent/let/sublet. That is covered by the preceding section of theft using force and violence.
I.e. force and violence required if letting the property.
Yeah, that makes insurances pretty useless. I have a jewellery insurance but it but the number of outs for the insurance company is saddening. I need to get hurt when I getting robbed on the street before they will cover the theft of my watch. One of the reasons why I mostly wear some watches at home. And if I get violently robbed they only cover up to the retail price and not the replacement cost/price.
If anyone know a better insurance the cover the above cases in the UK. Please tell me.
I mean, I'm not saying that you would, but I don't see how the rational decision when you find out you've been robbed isn't to break a window yourself. If there's no signs of entry then you simply aren't covered.
I bought lockpicks for the kids when covid hit for something to do. Within an hour, everyone could open the practice lock which is in a clear casing. Within a week, we could all open your typical masterlock and my daughter could open any of the locks you might purchase from home depot.
I spent many, many years in jail. It was fascinating to look at all the types and styles of locks used and try to figure out how to defeat them. The locks on the cells are practically impossible to pick with anything available, IMO, but the bolt itself was easy to defeat. Every cell I've been in has been insanely simple to open once the secret was known, and the knowledge was passed between all the inmates over the years.
It is so common for people to let themselves out of their cells whenever they want that I almost never saw anyone disciplined for the infraction unless you did something dumb like walked up to a sleeping guard and spooked them.
Handcuffs are hilarious. The tiny little bendable pens they sold in the jail were the best way to open the handcuffs - you can just push the nib in and turn it. Tons of people would pop the locks on their cuffs as soon as a guard wasn't looking, but you'd generally need to keep them loose on your wrists so that they would visibly look secure. Again, the guards would just grumble if you took your cuffs off, not write you up for it.
In other words, if there was no lock, I'd enter houses that I can reasonably think are empty / populated by feeble elders myself eventually, however "honest" I appear to be now when I'm surrounded with locks and barriers to crime in general.
It's really interesting stuff, although realistically, the situations in which it matters how hard to pick a lock is are pretty rare -- the majority of situations where an evil actor is trying to bypass a lock are ones where they'd be willing to employ destructive techniques instead.
Some locks are surprisingly easy to open, despite being highly in use.
Locks are to slow an attacker. A determined attacker can bypass almost any lock, but not stealthy enough. If you drill the lock in my front door, you wake up the entire street. If you can pick it in 30 sec in the middle of the night, you wouldn't wake up anyone, but some kind of camera probably picked you up.
I used to pass this bicycle parking at a train station twice a day. I'd always look at the locks (or lack thereof) while walking, quickly thinking which ones I could certainly open (and the question is always: how quick). But I never gave in to the desire, despite a lack of locks and peers (for practice/fun).
If you pick my lock and open my door (or any window in my house) you and I will hear a 90 dB siren and I'll be waiting with a 12 gauge in about 5 seconds after the alarm goes off. I don't understand why anyone doesn't have a basic security and motion sensor setup in their house in this day and age.
He doesn't open them all. He videos the ones he -can- open to shame them.
The Kwikset smart key v3 can't be picked because you get no feedback until all pins are set. You can decode them one pin at a time with expensive specialized tools such as a micro camera put into the cylinder but they will keep someone out for a while so they do their job. You still need to cut a custom key to get in even when you decode it so it is time consuming.
A Medeco will keep out even an experienced lockpicker for a while since pins must be in the right rotation and the right heights.
Beyond that there are really good Disk Detainer locks like the Protec 2 that have no feedback until all discs are correct. There are 0 public confirmed defeats of them.
Beyond that you get into hybrid digital keys like the Cliq. Then you can combine an cylinder known to not have any defeats with a second set of pins that can only be engaged after an AES challenge/response between a microcontroller in the key and one in the lock.
These also have never been defeated.
There are also solutions like the Bowley lock that don't expose the tumblers to the outside world and can only be defeated with many hours of work making custom tools for that specific lock.
I could go on and on.
The reason you can't buy good locks at US hardware stores is fully because the uneducated masses rejected high security locks once companies like master lock pumped out $5 locks with 10/10 security ratings in spite of any informed child being able to open them.
I would love to see people like LPL put their lawyer hats on and sue these companies for dangerously deceptive advertising.
Others have picked the Bowley even though LPL can't but it is more time and work than anyone could reasonably be able to do in a real world application so if anything those efforts are a strong endorsement of the lock.
This guy makes it look pretty easy, and doesn't use advanced tools or anything, just a piece of metal bent to go around the obstacle like the key does (i.e. totally reasonable time and work): https://www.youtube.com/watch?v=KS0FSzamUzc
It feels like Bowley underestimated strong vibration attacks like that and didn't invest enough in spool/serrated pins.
I suspect this is correctable, but I wonder if it would work as well mounted in a sturdy door since the vibration is not directly connecting with the pins.
The Protec2 I would trust far more than the Kwikset SmartKey V3, since it appears only several of the best of the locksport community have been able to pick it.
I couldn't find record of anyone opening a Cliq. I'd be hesitant to say that's because they are unpickable, though. I believe quite a number of the locksport community would not be very interested in attempting to open a Cliq as it isn't purely mechanical.
Fair points and thanks for the corrections. I underestimated how many new developments the pandemic would yield since I last did a deep dive here.
Still they are all well designed locks.
I recommend the smartkey v3 for people that need a lot of locks they can source quickly on a budget. The sidebar design is a real pain to defeat and if the lock is in a body with tight tolerances you may not be able to shim the sidebar at all. Without some kind of attack to tension the sidebar they can't be directly picked.
For those with more money to burn the Medecos are good security for dollar.
I put a couple Protecs on my luggage as tamper evidence devices so the TSA has to call me when they need to search it.
I would not bother with Protecs on a home as they are very expensive and there are generally better areas you can invest in home security for that kind of money but if you have a small number of ingress doors they are nice.
I don't think anything is unpickable/unbackable but when the time to defeat a particular lock someone has not seen before takes 10 minutes to hours and few if any in the world can do it I classify it as a "good" lock when the status quo can be defeated in seconds.
If the shackles are short like on a trailer hitch lock so that a hardshell case like a Pelican fully covers them, then they will have to cut through the body of the lock itself or destroy the luggage.
I have never once had a lock cut. Only one flight ever did they call me for access but normally they don't bother.
I too find his explanation on each click soothing.
Except when he got challenged to open a “difficult” bike lock in under 2 minutes by another locksmith he was dead silent the entire time and opened it in like 20 seconds.
I want LPL to tell me once what to buy, not keep telling me what not to buy 1400 times. It's educational, I understand, but man, can you put up one video where you tell us what you use on your own front door?
I have done a little bit of lock picking as a hobby, and LPL is somewhat of a lock-picking Mozart. Locks I struggle with, he picks in less than 30 seconds.
He has inspired me to become better at lock picking, which helped me at least once when I locked myself out of my locker at work. My Assa-Abloy lock which would have taken me 20 minutes before was open in under 2 minutes.
I am convinced he’s a savant. A combination of maybe naturally higher senses in the fingers and a methodical approach to solving puzzles.
I got pretty good pretty fast at picking, and that convinced me he is otherworldly in his talent and abilities.
On another note, I’m really going to miss Bosnian Bill, he excelled as a teacher and worked hard to remove anything mystical or subjective from approaching lock picking. LPL is great, but still doesn’t quite go into deep detail about how to improve at tensioning, dealing with various types of pins, in a way that resonates with “regular” people, where Bill was just a huge help in those areas.
The intro explaining the weirdness he was exposed to as a result of the channel was eye-opening and shocking to me. Some weirdness is to be expected, but the level of stalking resulting from even such a non-controversial channel is not something I would have thought of.
Edit: Didn't think of the "locksmiths hate it" aspect that probably explains at least some of the crazy (e.g. trackers).
LPL videos are an example in educational videos. Clear explanations, no fluff, no finger pointing (except for Master Lock and unbacked marketing claims) and real expertise.
I keep bringing up smartcards in every thread, but I just can't help it. Car keys seems to be moving towards contactless, at least Tesla got a right idea, there's even open-source implementation as an applet for it https://github.com/darconeous/gauss-key-card.
Cryptography is math and you can't beat math, cost and scale will always limit complicated physical keys. And most existing electronic keys/tags/fobs/cards use cheaper not-quite-smartcards that are vulnerable to replay attacks and cloning, LPL even had some videos about them.
Tesla got it wrong in the sense BT is vulnerable to repeater attacks and such could likely be used to steal your car, assuming you were targeted by someone trying.
Repeater attacks can be mitigated by putting a time limit for a response from the device used as the key (e.g. phone). That's how a lot of contactless payment terminals ensure the physical credit card is in proximity of the reader and someone isn't relaying the responses across the country.
I don't know how Tesla implemented their key, but there's nothing in BT that makes it inherently vulnerable to repeater attacks. Garage doors addressed that problem a long time ago by changing the code after every successful opening.
That's not a repeater attack; that's a replay attack.
A repeater attack means tunneling the communications over the internet/long distance radio/whatever, where someone's in your car and someone else is following you. That's the repeater bit, they have a pair of devices that act like a long distance radio repeater.
If you can make the response fast enough that the speed of light delay dominates you can measure the latency and have an upper bound on how far away the key can be.
This whole comment tree kinda got derailed into bikeshedding about BT with confusion between replay and repeater attacks to boot. It probably isn't any more susceptible than similar RF alternatives.
Personally I wouldn't want a BT key because I used smart rings, namely a contactless payment ring and an OMNI ring. They aren't without issues, but they are miles ahead of a device like Chameleon Tiny Pro (which I also used) when it comes to usability. There might be smaller BLE devices out there, but it is pretty small. About the same as Google Titan BLE based on the images.
There really aren't common technologies that *only* work across spaces no larger than a couple feet; the technologies that normally are limited to very close range can actually be used at larger distances with proper (large, directional) antennas and more powerful radio hardware.
Yes, it's designed for close-range communication, IIRC with proper hardware you can listen into NFC communications from as much 10m / 30feet; and with a relay attack, you can "extend the range" arbitrarily.
Cut Bluetooth then, I'm not talking about Bluetooth. Google Titan also had a Bluetooth version which was also vulnerable I think. And even BLE needs a battery, smartcards (or smart rings) don't.
And there's the weakness. An emergency key that you can use means there's an emergency keyway that can be picked.
And thank goodness, too. I spoke to a locksmith a while back and he told me about some fancy import sports car with no emergency keyway and there was a child locked in, and of course the key was in the vehicle.
He did get the door open, IIRC there was a button to press to unlock, but not where his long-reach tool could easily get to. He said a cop had to watch from the other side and guide him to the button. He said it took around an hour to open.
Funny that right after he explained how he keeps his family safe by keeping his face and name off the internet, he spent the rest of the video focusing on the ineffectiveness and "downright stupidity" of security by obscurity.
I think there is a misunderstanding about security by obscurity. What is bad is hiding defects instead of addressing the problem. It does not mean you should reveal everything! I find it well explained in the video.
For example, if you don't tell people what kind of lock you are using to secure your stuff, this is a form of security by obscurity, but it is not a bad thing. Even if your lock is one of the best, if an attacker knows what it is, he will be better prepared. I think no one who cares about security will tell you things that you don't need to know, it is called OPSEC, I believe.
What is bad is when you realize that your lock is weak, instead of trying to fix it, you try to hide the weakness. And that's the idea that LPL criticizes in his talk.
Hiding his identity is most likely not his only defense against the craziness of the internet. From his videos, we know that he has guns, and who knows what he secures his house with. He is most likely prepared to deal with the consequences of an identity leak, but that doesn't mean he wants it to happen. That's defense in depth, an other important part of security.
This is interesting because we know that's not a good security. In fact, it has been shown that having a gun in the house is associated with more firearm-related deaths and not less.
So I suggest anyone that is thinking of buying guns to read this.
That study doesn't mean that guns are bad security. They obviously lead to more gun related suicides, and can turn domestic fights more violent. However, if you are at high risk of being attacked (if you are a criminal defense attorney or a minor YouTube celebrity), the risk of being assaulted is different from the general population's.
I have an idea for a LPL-proof lock: Take a decent padlock, one that gets high marks from LPL, and then weld a curved steel tube to it ending at the keyhole. Then take the key and cut it in half at the head, welding a long stiff spring to attach the two halves, like a plumber's snake. To unlock, you simply stick the key bit down the tube around the bend and (with some fiddling I'm sure) into the keyway, then you can turn the key to open.
Without direct access to the tumbler, I'm not sure how you'd be able to pick it.
But things from installation issues, to making sure tolerances are maintained while making the locks on a production line, mean that there are always some gaps left in a mass produced and installed lock.
Their friendly competition was fun to watch. LPL made some great suggestions for improvements, and was impressed by the idea that Stuff Made Here came up with as a physical security “outsider.”
Very intentional. He's also quite self-aware -- later in the same keynote, he says something about using a hole for something it wasn't designed for, then notes how wrong that sounded.
Last time I looked I couldn’t find any convincing videos of anyone picking an Abloy Protec2 cylinder. Abloy cylinders aren’t that uncommon so I took that as a sign of these locks being basically unpickable rather than nobody trying.
For people who don't know much about drill bits, but know that steel is harder than titanium, it's a drill coating of titanium nitride or similar according to wikipedia that makes it harder than stainless steel: https://en.wikipedia.org/wiki/Drill_bit#Coatings
Yes. After having watched the keynote, I have mixed feelings. He keeps repeating how awful common locks are, and that it is in the interest of lock users that that is revealed. But never does he mention how a lock buyer can evaluate if a lock is good. What should we look out for?
Look out for (keep away from) US residential lock brands, like Schlage or anything you can buy at Home Depot. Newer Kwikset locks are OK but still susceptible to some more moderate attacks with a shim.
In general, try to get any “rated” European lock. They have standards for pick resistance and brute force resistance unlike retail US locks. Look for something with dimple pins, an active element, or multiple pin stacks with security pins, trap pins (anti tamper).
With all that said I don’t think the low security locks we have are such a problem. You can break a window open or just find an unlocked door if you are looking to do some bad shit. I like how Schuyler Towne put it: locks are just a social contract. I’m saying, hey, don't go opening that door, and as a civil society we agree not to.
A higher security lock on your home isn’t going to make your flimsy door harder to kick down, or your window harder to break, so yeah it’s nice to be educated on the security trade offs you make physically, but I’m not sure it’s important to beef up residential security in the US.
> You can break a window open or just find an unlocked door if you are looking to do some bad shit.
> A higher security lock on your home isn’t going to make your flimsy door harder to kick down, or your window harder to break
From the keynote, that's why LPL puts a heavy focus on bike locks, gun safe locks, etc. The audiences for those locks have a more vested interest in physical security than mere "social conventions". A well-locked bike makes it more difficult for a thief to get all the / enough value from the target. A well-locked gun safe prevents accidents and saves lives.
Also, I live in an apartment on an upper floor. No accessible windows. The only viable way into my residence is through the front door. (There are like two RFID-gated doors before mine, but tailgating renders them pretty ineffectual, and let's not talk about elevator security. [0]) It's not worth it for me to put a better lock on my door, but I'm also not kidding myself about its effectiveness.
I don't agree that locks are "just" a social contract. If they were, the most simple and cheap lock would be sufficient for everything. They are a social contract, but they are also for theft prevention. Those people that are determined to take something from you don't care about that contract and you need as good lock as possible to make it hard for them.
But attacking the lock is the last thing a smart or determined person will do. Sure a better lock helps, this is why most modern cars have much better locks than homes, but even they can be easily opened with the right tools, and often even easier with improvised tools.
Most locks really are cheap and sufficient for everything, in the US, at least, because we are using them right now. Schlage and Master Lock are everywhere and I taught my sister to pick them in a single sitting over drinks.
Even the most common combination locks are easily openable without any tools whatsoever. All those key holding real estate locks are even easier to open than the doors the containing key opens.
But remember, social contracts of all kinds get broken, and that’s why we have a justice system.
> But attacking the lock is the last thing a smart or determined person will do.
I think that is contextual. In a whole lot of apartment buildings, the windows into the apartment are inaccessible from the outside. The door frame is metal, so kicking down the door would wake half the apartment building. Without a lock on the door, anybody who got into the building (generally easy) could silently enter any unoccupied apartment and nobody would know it. But with a good lock, nearly every would-be thief who can't pick locks will go someplace else.
Most thieves DGAF that their target knows that they've been broken into. They want to get stuff to sell later, they want to be in and out very quickly, and they tend not to be the smartest people out there, and having lock picks increases your jail time if caught.
When a thief steals, you are going to notice the missing items either way, a broken window doesn't change that much. Apartment dwellers also tend to be poorer, which makes homes the better target in more ways than one. If the lock is too hard, your just getting more bashed in doors or walls instead, or thieves / creeps climbing porches and going in that way, which happened recently in my area. Many porches are windows and often unlocked.
Also many apartments are not steel framed with steel doors. I have a skinny window in the interior wall of mine, and it's a solid wood door on a wood frame. Also you could get a sledge hammer and bash through the drywall. Or bring drills and take out the door that way.
Also having a fancy lock might actually make you more attractive, because the thief casing out your place might recognize it, think you might have more than the typical person and bring the appropriate battery powered tool and cut out the lock.
To be perfectly honest, I'm amazed how bad physical security is in the residential and even commercial US space. E.g. just the fact that deadlatches, which rely on precise alignment of door and frame to actually be locked, are a thing is amazing. The Euro-stuff has some other issues (cylinder snapping), but at least the bolt-for-locking is literally just a 8x40 mm bolt that goes into the doorframe. I've also never even seen a flat doorframe profile - not even bathroom stalls have them. Manipulating stuff on the other side becomes pretty easy if there's a 9.3/64" gap between door and frame.
And yet, I would bet money that thefts in the US rarely are from lock manipulation (picking, drilling, but maybe brute force eg door frame). We have too many accessible windows in the US, and a lot lower density, maybe this is why Euro locks are more advanced, but regulation is also a factor, we don’t have it here, at least in residential, which makes me wonder if we need it (I assume our insurance system effectively covers the risk)
From a row of cheap locks, you can easily find the best. The key has deep cut (ie long pin) first. It is really difficult to pick behind that first pin.
I think because you somewhat misunderstood the point of the keynote at this security conference. Giving advice about how to buy better locks is either going to be too basic or too lengthy & detail oriented for a presentation of this kind, meant to promote the practice of picking and give historical context. (And entertain.)
If youtube suggests way too many lock picking videos after you watched this one, you can go to your YouTube history and remove the video from the list.
I really think the style and format of his show makes it so incredibly watchable. I love his voice, the delivery, and the way he so articulately breaks down how he thinks and approaches problem solving. He really makes you feel like you could do it too.
It’s very subtle but as a showman he’s one of the alltime best on YouTube.