Using Lockpicking to Teach Authentication Concepts

it's 10/10 let's do this thank you all for coming so using lock-picking to teach authentication concepts or as a terrible pun I put earlier pics or it didn't happen yay so I'm cat by the way I am the leading lady of lock-picking here at besides along with one Enochs everett so if you are curious about learning more we've got a nice lockpick village in the chill-out room you also come by later sweet cat on twitter feel free to tweet me pronouns are she her i'm sis but i like to try and normalize the whole not assuming pronouns as much as possible so let's get to it so what are we trying to solve for here so security can be a very

difficult thing to communicate to those who aren't familiar with it so when we're teaching security concepts a lot of what we're presenting to people who might not be as familiar with security is very abstract and very difficult to convey this whole idea of think like a hacker what does that even mean if you don't if you're not already in that mindset of think like a hacker so how do you get people into that mindset so we need to be thinking about effective novel approaches so there's been some really good work on this both in like the security education community and just other security practitioners there's like the analogies project Jesse Erwin gave a really good talk at

shmoocon a few years ago called speak security and enter about using certain more Universal analogies for teaching the security mindset teaching security concepts but not too many of these have gone on to into a hands-on kind of thing a lot of times we're still dealing in abstraction so how do we solve for that so big academic words embodied cognition I should just preface the fact that I am NOT an academic nor am I a psychologist so this is very armchair but embodied cognition basically is the educational or an psychological theory that cognition is influenced by more than the brain itself also influenced by the entire body and the surrounding environment so one application of this

in educational theory involves using concrete objects and concrete metaphors to teach these abstract concepts so that was kind of the idea behind this literally came out of late night conversations with a friend of mine a couple years ago who was a PhD student in computer science education and she built a curriculum that she actually taught at roots of years ago Caroline Hardin on teaching open source software to kids using a metaphor of Legos that were some of them were glued together the proprietary ones and some of them you could take apart the open source ones and like open source licensing is not an easy thing for eight-year-olds to wrap their brain around but they got it

and so I was thinking huh what other security what how can we apply this to security so that was kind of the the thought behind all of this turning the abstract into the concrete so that's kind of the focus of this so why lock picking a few reasons one it has a very low barrier to entry I have taught kids how to lockpick there are a lot of kids who came by the lockpick village yesterday well I guess a lot by the standards of a security conference in Vegas but it's something that people can generally pick up pretty easily if they have decent manual dexterity or even crappy manual dexterity if they have use of their hands most people can

pick up the lock picking skills in a pretty short period of time especially we're talking about one pin locks it also has very low threshold of gratification lock picking is sexy people want to learn how to pick locks it it's a it's a thing that people enjoy knowing how to saying they know how to do and so it therefore incentivizes people's interest in learning more about the security concepts that it represents if you are doing a thing that is fun that's going to be more engaging than something that you think is just really really dry it also has possibilities of things like an attacker and think like a defender cuz locks are a thing are a

barrier there are security control and so you can think of that as a thing guarding something that you want to protect as well as something that your to break into so think like an attacker is useful but you also have to think like a defender and one that I didn't put on the slide to is a lot of security professionals have experience with lock-picking and so it's an easy thing or an easy enough thing to teach people rather than trying to learn something new yourself and then go and spread that to an audience so I don't make any assumptions about the audience's lock-picking levels so I just want to give you a high level overview of the

the basic theory of lock-picking the super quick and dirty version if you want a slightly less quick and dirty version the lockpick village has beginner sessions that they'll be holding at 11:30 and 2:30 today and we're also just happy to come by and teach lock-picking if you stop by and we'll contest at 4:00 p.m. I promise this is this talk isn't just a shameless plug for the lockpick village but it's more of a if you want to learn more go here so basically you have a lock this is a sort of sideways view of the guts of it and there are these stacks of pins driver pins key pins the key pins are all cut to different sizes which is why

keys look jagged and so the driver pins are all the same size so when you have a key you're pushing all the pins up at once and getting the all above the shear line so that that cylinder turns what's lockpicks you're doing them one at a time and it's a lot of trial and error you're going in blind there are those clear practice locks but for the most part you can't see what you're doing so it's just kind of figuring it out and so yeah lock-picking basics so how do you map that to authentication so the passwords track you probably the basics of authentication the process of verifying who you are god it's really hard to come down from the nerves of

having an AV failure that's ok we'll make it work so basically verifying who you say you are by something you have like a hardware token or something like that something you know like a password or a security question something everybody knows so locks can be a form of physical security they you can have a key something you have but you can also think of as an analogy for a password something you know and so you can take that idea of this is a thing that I have that somebody else might not have and use that to apply it broadly so evasion is the word I was missing on my slide missed and hacker pyramid last night but

when I often teach lock-picking workshops I start with why would you pick a lock when you could just break the door down or blow it up or bump the key so a lot of it comes back to this you don't want to leave evidence why would you why would you want to leave behind what you're doing and so this is something that is obviously very broad insecurity attackers don't just have a goal of gaining access by any means necessary the more sophisticated ones aim to get in without leaving any evidence of having gained access and you know the back door so they can get back in a back door locks our locks our own back doors terrible puns so if you're

doing some kind of brute forcing that's gonna set off alerts and show up easily in logs and so it's about going in stealth mode and so

by the way I also forgot to say this at the beginning because we had some fires we were putting out but I'm happy to take questions at any time I will not take five paragraph long statements but if you have questions feel free to ask them I'll either hold the mic to you or just repeat your question for the sake of the recording or for people who can't hear very well so feel free so yeah basically Leave No Trace so we also want to talk about uniqueness one of the most common problems of good security hygiene they come across is password reuse and so how do you really drill home the importance of not reusing a password

well you think about it even though keys might not be like even the locks might not have 50 pins and be super super complicated we don't use the same key for everything that we lock so in an event that one gets compromised in the event that like somebody breaks into your house you don't have to replace every single key you own and so similarly in the in the event of a breach an attacker could use a compromised password to access any account that was associated with it and so we want to drill home that it's easier clean up after a compromised complexity is another one there are more pick resistant locks that exists but they're more costly and difficult to

manufacture and so they often lock more critical assets and so there is these different levels of difficulty with picking locks and so while we don't encourage a weak password use the fact of the matter is some people are going to use weaker passwords and so if people need to balance what they use their strongest passwords for we want to make sure they're focusing on accounts with the most sensitive information a friend of mine put it really well she said never spend more on a defensive solution than the thing you're protecting is worth yay risk so when I taught security workshops I often going a little bit into data classification what is the thing you're trying to protect how

sensitive is it how risky is it to the business and to the person if it gets leaked and so we can think of the different levels of complexity of locks and the ability to pick them and their resistance to picking as the strength of passwords based on the sensitivity of the information you're trying to protect and not even just the strength of passwords the strength of the various security controls you're putting around them also defense-in-depth one of the things i'm always trying to rail against is that there aren't any silver bullets and when people often learn how to pick locks sometimes their first thought is oh my god I'm gonna go cry in a feel position because nothing I

own is safe if I can pick this lock everything is [ __ ] but again and sometimes security people are the same way especially pen testers they're like I got root in five seconds oh my god this entire organization could be completely pwned but again security is all about balances and trade-offs and so it's still an extra layer of resistance and that's what we try to emphasize with with you still lock your car's you still lock the doors to your house and so there's no single silver bullet there is a need for a layered approach and so this is where we can talk about defense and depths and we can talk about maybe you put a lock

on your door or maybe you've got a home alarm system authentication and access control will never be perfect on its own we're trying to kill the Past source even then like there's always going to be stuff so we want to try to build around things to minimize the attack surface in case of bypass things like password uniqueness other technical and physical controls all of that so basically it's a matter of saying yeah maybe everything is [ __ ] but we can still put layers around our various assets so some limitations to this idea of using lock picking to teach these concepts of passwords and authentication and security lock pick laws vary by state all has a list of lockpick laws by state

on their website and I think they have a few other countries as well but there are some places but we live where we might not be able to do this especially other countries with more stringent lock pick laws like I know Tennessee just having picks on you it is considered intent most of the other states it's not but you never know there's also there can be social consequences and legal consequences even in place where the places where lock-picking is legal certain populations especially certain demographics may face consequences if they're carrying picks around or if they learn how to pick especially like I don't know it just say it like racism is a thing and certain people are more

likely to face consequences as they get stopped and they've picks on them than others and it's it's shitty also analogies in general can be a really useful teaching tool but they can also fall apart if we don't draw solid connections to the concepts that we're trying to convey with them or if we take an analogy a little further than it's applicable like some people keep doing it on a rabbit hole and saying how does this lock thing map to this security thing and that's not always going to be possible so it's important that we can sort of set boundaries around some of that and use use this hands-on thing to draw draw an analogy but know that it's

not going to be a catch-all so god I really blew through this because I was afraid I was going to be strapped for time because I started 10 minutes early and yeah so yeah so what comes next had to throw in a Hamilton reference lock-picking steeped authentication is just one of many possibilities this hands-on approach can be applied broadly and I encourage you to think about how you can what you want to convey to people about security and how you can draw that to something that's hands-on and not just them sitting in a lecture because they're not going to soak up as much information that way as when they're actually playing with stuff or at least interacting

as security professionals we deal largely in these really abstract concepts and just trying to repeat them over and over to somebody who is trying to learn not for the best so if we can teach the importance of digital security but drawing these physical conclusions these hands-on analogies we've become more effective at our jobs and our users become safer as a result so I really rush through this talk but if you have any questions we've got a lot of time so it'll take any of them yes yeah here you brought a good point about the carrying a lot picks around like I was wondering if I block it bringing it back to you on a plane to Rome you know Santa Monica

yep it's on you've just kind of kind of like hugged them like practically eat it so the question was picks on a plane basically I'm not setting these [ __ ] picks on this [ __ ] plane so yeah if you're traveling domestically you should be fine tools are allowed if they're under six inches I've never had a problem with TSA stopping me for lockpicks I haven't traveled with them to another country before but it depends on the country lockpick laws as far as locks if you've got a buttload of locks in your suitcase TSA might be a little freaked out because you've got this giant pile of metal in your suitcase but you should

be fine anyone else yeah

just think about his his question I'm playing I've only been stopped one time I carry two lockpick kits with me and my wallet and while he's been stopped one time and TSA just looked at him he just gave me what it looks at what are these locks for did these picked for the job yeah exactly just normally I don't have a problem carrying lock picks themselves but a few times I've had those little lockpick sets they're like a small pocket knife and those have been challenged by TSA so I'm not sure why they really focus pocket knife they don't like those Hey so I don't have like a great well-formed question but I'm really curious about

sort of the embodied cognition aspect of this and just like if you've seen specific cases of sort of people like actually understanding password cracking or password manipulation better as a result of manipulating locks physically yeah I mean it's hard to draw correlation from our hard to draw causation from correlation but I have seen people sort of like when I've sort of talked about password cracking while doing it then they do tend to get it they're like yeah so yeah yeah hi Rudy Timoney Oh should I have my own experience on that so I teach basic crypto using physical using locks and symmetrical asymmetrical and different keys and bits and pieces so I found one I teach it's exactly the same setup that

the physical hands-on really works you've got lock picking teaching passwords have you got anything or have you tried any other physical analogy that the works not yet but I'm always trying to think about that I security education is a big part of my role at at work and so I'm always trying to think of how we can incorporate anything that's interactive or hands-on especially since they found that like even just doing something with your hands even if it's completely orthogonal to what your teaching can be useful like I don't know if like playing with a digit toy or something while you're listening and like in college I would knit during lectures and they found that just doing

something with your hands can help with retention of information so I'm always trying to keep that in mind but if you have ideas please by all means implement them share them widely yeah a question for the term interpreter speaking I'm where do you have an actual asymmetric physical lock set that you can use to to describe PKI I've been looking for something like that so the thing that I've seen used in like videos for talking about PKA is actually like a lockbox where you can like unlock the top with one and unlock the bottom with another so but I don't know if you've got anything to add very similar or paper and envelopes nice cool yeah thank

you for your presentation um it's given me some ideas that I can take back when I do some general user training awareness training question about the analogy for do you have an analogy perhaps for multi-factor authentication maybe the home alarm with a code that's like randomized maybe yeah this is kind of a bread and butter that I need to think about a lot more but I work for do a security so to a phase one of our things oftentimes the thing that I talk about is ATMs you have a card something you have and then you have a pin and something you know but there's got to be a lot of things out there 4mf a cool

anyone else all right we finished super early so if you have follow-up questions that you prefer to not answer in a crowd or you want to catch me afterwards I'll be around for a little while and then you can probably find me in the lockpick village for a bunch of the day again I'm sorry for the AV issues and I'm sorry that I then rushed through this talk but we got through it thank you all for coming [Applause]