Every year thousands of eager minds flock to the many InfoSec conferences or meet-ups across the globe only to stumble across a lockpicking station. This raises the question, “Why are they facilitating lockpicking at information security events?”
The answer is actually quite simple. InfoSec practitioners and hobbyists share an extremely deep bond in that they are constantly forcing themselves to learn how technology works and what vulnerabilities may exist within an implementation.
This drive to fully understand every angle of a particular piece of technology results in a breakdown of the purpose, functions, and limitations present. As locks were, and still are, at the forefront of security technologies they can be found everywhere from the home, to the office, and often out in the public. This presents an easily accessible platform to satisfy all of the aforementioned needs of any security-driven mind.
Now that the link between lockpicking and information security has been established we can approach another factor that makes lockpickers become full blown picking wizards...the challenge.
Locks are unique and offer multiple levels of difficulty in picking. There is a great sense of pride and satisfaction when you hear the slight click as the cylinder turns after a successful attempt. The ability to have a task facing you with an irrefutable indication of completion gamifies the hobby. As a result, many challenge locks have been created and groups have formed to share resources, tools, and their love of picking. This elevates the community as a whole and brings some people who normally might have passed on an InfoSec event into the fold.
As the InfoSec community grows there is an extreme need for more hands-on and fully immersive elements at conferences to engage attendees. Lockpicking stations offer a simple and scalable solution to this while also offering an escape from the blue light of a screen.
Lockpicking also can cater to entry-level pickers due to the availability of training supplies and caring people to help them learn. Several shops are now offering picks, instruction videos, and clear practice locks to allow for a gradual introduction to the hobby. By utilizing available materials a fully comprehensive environment can be set up in a matter of minutes and provide hours of entertainment
On a personal note, I cannot stress enough the need for us, as a community, to facilitate these stations and provide a welcoming environment for attendees. More often than not, people trying to break into the InfoSec community can become discouraged, but an extended hand can make all of the difference.
We need to make sure to always be respectful and share our knowledge freely. Help someone pick their first lock and see how you can make a difference. Elevate your peers by sharing with one another the tips and tricks that make these meet-ups such a great resource. The key to the success and continuation of this field may not be a key at all, but a set of picks being held for the first time.
In closing, lockpicking has become a much needed part of Infosec due to the fact that it allows a firsthand view into security. Security professionals have access to an abundance of resources to study up on particular topics these days, but to truly understand the risk we are attempting to thwart, we need to have first hand experience. We need to practice what we preach and force ourselves to take a deep dive in to see how a threat could compromise our security. Lockpicking is one of the easiest ways to drill this into our minds as we can see in real time how human intervention can throw a stick in the spokes of progress and send us back to the drawing board. Without the ability to understand how an attacker could potentially bypass our defenses, we will never be able to improve upon existing security measures.
Here's a video on lockpicking: