Tuesday, there was an afterparty at a Cuban bar, with similar open bar. Wednesday, I went out for drinks with the conference organizers, I recorded a brief interview I’ll try to type up later.  Thursday, I got drinks (again) with a really cool Brazilian hacker/security researcher guy. So basically, my liver probably hates me (I took Friday night off), but I’ve been having an awesome time.

I’ve done kind of a poor job of writing about things as they happened, so there’s a bunch of stuff in Chile that I should try to go back and cover. Apologies if that makes this kind of hard to follow. One cool thing a Chilean hacker showed me is actually less of a hack, and more of just a “why would they make it like that?” security failure.

Unlike Buenos Aires, where every bus line is a separate company competing against each other and fighting tooth-and-nail against a unified payment system, Santiago has a very convenient contactless smartcard system (called the “bip!”—”beep!” in Spanish—card) for both buses and metro lines. However, for reasons that are totally beyond me, the Santiago transit system has decided to make all the information about the movements of anyone using their bip card accessible to anyone who cares to see it.

If you go to this website, and then click on “Saldo y Movemientos” you can enter my Bip card number (08969210) in the field for “Ingrese su Nº Tarjeta bip!”, choose to see the last 90 days, and click “Acceptar” to see every place that I added money to the card or took a bus or metro during my time in Santiago.

To be fair, I paid cash for the card, so my bip number isn’t actually personally identifying information (or it wasn’t until I wrote this blog post, anyway). But for university students in Santiago, their student ID card doubles as a bip pass, and that student ID number IS personally identifiable. Plus, I’m sure many people pay for their bip card with a credit card, or tie their bip card to a credit account so it will automatically debit to recharge.

Furthermore, if you really just wanted to creep on a random stranger, the bip card number is printed on the receipt you get for adding value to the card. As you’d expect, most of these receipts are immediately abandoned in garbage cans or on the floor of the metro station. It would be trivial to retrieve one and then monitor that person’s movement.

I don’t have any objection to a city transit agency tracking its ridership, especially when done in a way that’s more-or-less anonymous. Obviously, it helps them to see which lines are busy, where they need to add buses, trains, and so forth. What I don’t understand is why they decided to make this information available the way they do.

What could the possible advantage to riders be? I guess it might theoretically be convenient to check the balance on your card from the internet. But surely you already know the places you’ve gone, right? Making that data accessible to the public with no authentication is only a minor security vulnerability, but it’s also a completely unnecessary one.

I mentioned this to a friend of mine, and he said something like, “Wow, only 25? It kind of feels like Tetris should have been around forever.” I can see where he’s coming from. There’s something about the platonic purity of Tetris that makes it seem timeless. Other computer games from the 1980s, may still be fun, but invariably feel dated, handicapped by the primitive graphics and sound hardware of the era. Not so with Tetris. Playing Tetris, one gets the feeling that it looks and sounds the way it does because that’s what Tetris is.

The history behind the creation, licensing and promotion of Tetris is incredibly convoluted. It is a tale rich with Cold War politics and transnational intrigue. It’s also too long to recount here, and covered in sufficient detail elsewhere.

Of course, Tetris’ most famous characteristic is its addictive gameplay. In fact, it may be the only game so addictive that it nearly prevented its own completion. When Alexey Pajitnov first wrote Tetris, he found himself so distracted by playing the half-finished version—with no scoring, acceleration, or levels—that he almost didn’t get around to writing those features.

Over the years, a similar addiction has consumed the lives and livelihoods of many. World-record Tetris players have been known to play for more than 12 hours at a time. In my own life, back in junior high, I used to play Tetris DX on the Gameboy Color for an hour or two at a stretch, maxing out the acceleration.

I can testify that Tetris does weird things to your brain. At first, as the pieces fall faster and faster, the game becomes more hectic and stressful. However, I found that if I survived, and kept playing long enough, eventually I would move past that to a Zen-like state of total focus. The feeling is as though all available cognitive resources were redirected to the unitary goal of sorting blocks. Once I reached that state, it didn’t seem to matter how fast the pieces dropped, I was relaxed. I found that I could even get up and wander around my house, in a kind of trance, without breaking concentration. If somebody spoke to me, it seemed to come slowly and from far away. Unfortunately, replying would take me up out of the zone, and the quality of my play would decline rapidly. More than one game was lost as the result of my parents trying to talk to me.

I have occasionally had a similar feeling when writing, or during an exam, but never as overwhelmingly as when playing Tetris. This is analogous to the mental state reached by skilled hackers when coding. The Jargon file defines “hack mode” as:

“a Zen-like state of total focus on The Problem that may be achieved when one is hacking (this is why every good hacker is part mystic). Ability to enter such concentration at will correlates strongly with wizardliness; it is one of the most important skills learned during larval stage. Sometimes amplified as deep hack mode.”

The entry goes on to discuss the jarring experience of being jolted back to reality when deep in hack mode. In Tetris, that moment occurs when you lose. I would have a brief moment of disorientation, and “Wait, I’m not playing anymore?”, followed, of course, by the pervasive belief that everything in the world is made out of tetrominos, and if I could only fit them together properly, my life would be much, much better.

This post-Tetris hangover, the “Tetris Effect,” is actually a documented neurological phenomenon. Following intense Tetris sessions, players may visualize the real word in terms of interlocking geometric forms, they may see falling colored (or hideous green monochrome!) blocks when they close their eyes. Oh, and, yes, you will play Tetris in your dreams.

The mathematical aspects of Tetris are nearly as fascinating as its neurological ones. Like other classics, such as Chess or Go, Tetris is a game that is striking in its outward simplicity, but conceals enormous complexity. The number of possible board configurations in Tetris is on the order of 10^59 (for comparison, chess includes between 10^43 and 10^50 legal board positions, and there are probably about 10^75 atoms in the universe).

However, unlike these other games, Tetris is fundamentally digital. With due respect to the creators of some truly inspired electromechanical adaptations, Tetris really must be played on a computer of some sort. Intriguingly, Tetris is not a game that can be played by computers perfectly. Although for any given board configuration there is theoretically an ideal move, calculating this move in real time, for all possible situations, is beyond current computer hardware.

The best Tetris-playing AIs can complete hundreds of millions of lines before they lose, but they will eventually make a mistake and lose. There’s an outstanding (but long and technical) paper here where Colin Fahey explains his design of a Tetris AI (and anything else you’d want to know about the theory behind Tetris). If you’d just like to play around with a Tetris AI demonstration, you can download a good one here.

However, even if it were possible to construct an AI that played Tetris perfectly, it would still lose. There exist possible sequences of blocks which are impossible to clear fully, even by an inhumanly perfect player, and these necessarily result in a loss. Assuming that the sequence of pieces were truly random (computer random number generators only produce pseudo-random numbers, for reasons that are themselves complicated and interesting) the system would eventually (as t->∞) deal one of these sequences. One example of an absolutely fatal sequence is 70,000 or so Z- or S-pieces. The reasoning behind this futility is explained by a UIC math professor here; on his site, you can also play a modified version of Tetris that deals only S’s and Z’s. Experience failure yourself!

The fact that it’s mathematically impossible to win at Tetris; indeed, impossible even to achieve the sustained stalemate of perpetual play probably has as much to do with our enduring fascination for the game as anything else. Some see in Tetris’ futility a reflection of the grim, resigned outlook of its Russian creator, others a metaphor for the inevitable collapse of the Soviet Union, or communism writ large; still others find Tetris a metaphor for life itself. Hint: at the end, you always die.

For myself, I suppose the fact that I can never “beat” Tetris means that it will always represent a challenge. Tetris is the unclimbable mountain of video games. There’s a quote from an author whose name I can’t recall (and that I, shockingly, can’t find in google!) that goes very nearly:

“It is only possible to really succeed at second-rate pursuits like politics, sport, or war. Truly worthwhile human endeavors—art, science, philosophy—necessarily evoke a sense of failure”

This, more than anything else, is the reason that Tetris is perhaps the only video game about which we can accurately predict, “They’ll Keep Playing It Long After All of Us Are Dead.”

Hack the Gibson!

However, if you had been reading the tech sections of major media sources in the past few days, you might easily be forgiven for thinking that Conficker was on the verge of ending the internet (or possibly the world) as we know it. A roundup of some of the coverage I’ve seen:

“The Worm That Ate the Web” from Slate, who couldn’t resist the temptation to slap an over-the-top headline on an otherwise fairly good article.

“Worm Infects Millions of Computers Worldwide” from the New York Times, which also features the priceless quote, “If you’re looking for a digital Pearl Harbor, we now have the Japanese ships steaming toward us on the horizon,” from some guy at a security firm.

“The Conficker Worm: What happens next?” from CBS News, which characterizes it as “one of the most dangerous threats ever,” a phrase that practically cries out for some sort of qualifier—surely the Ebola virus and nuclear war clock in ahead of Conficker on the threat scale, yes?

“Computer experts brace for ‘Conficker’ worm” from Reuters, who’ve since redirected some of their links to the more accurate, but still ominous-sounding “Malicious virus quiet, but attack may be in works”

The short, boring version of this story is that Conficker is not that different from other worms in the past. It’s somewhat more advanced, with peer-to-peer communication and a cryptographically-protected system for phoning home for instructions. However, where it really excels is public relations. By having a clever, funny-sounding name (“Conficker” is pronounced like an accented “configure”, but “ficker” is a noun form of the German verb ficken, which means “to fuck”) and by setting the latest version, Conficker.C, to start listening for instructions on April 1, the worm’s authors tapped into a perfect storm of tech journalists desperate to write an April Fool’s Day story that doesn’t boil down to “Somebody said something funny on teh internets” and antivirus software companies eager to scare people into buying their product (nevermind that the vulnerability Conficker exploits has already been closed by normal Windows updates).

Much of the coverage has focused on the supposedly mysterious intentions of the worm’s creators: as of right now, the worm isn’t actually doing anything to infected computers. It’s taken them over, (pwned, or zombied if you prefer colorful verbiage) but the botnet is still waiting for further instructions from its masters. Many of the articles have this attitude of, “What happens now is ANYONE’S guess! They could do ANYTHING!”

I hate to be the one to kill the mystery, but I can tell you right now that these computers will eventually be used for either a) sending spam, or b) DDoS attacks, or both. The reason I know this is because these are basically the only things anyone ever uses a botnet for. I suppose they might also harvest personal information from infected machines, but there isn’t really any need to create a large, coordinated, remotely-controllable network for that purpose.

It’s really too bad that botnet hackers are so uninventive. When I talk to laypeople about my project, and about hackers, these are the kinds of hackers they typically think of: low-grade criminals who are out to make a buck. But to me, these kinds of botnet spammers are absolutely the least-interesting subspecies of hacker. I have some respect for the technical know-how needed to uncover a vulnerability and exploit it, but the motivation behind it is so pedestrian and petty. As one article put it, “The days of hacker meritocracy earned through digitally destructive acts…have given way to profit schemes in which malware and hacking skills are used to snoop on networks.”

I was brainstorming with a friend of mine, trying to come up with more interesting things to do with a botnet. Some options include:
-> Running SETI@Home on the zombie machines.
-> Using them to brute-force crack cryptography.
-> Find giant prime numbers with them.
-> Conduct sociological research on worm victims. It would be a rare chance to study computer use habits without subjects modifying their behavior.
-> Play Six Degrees of Separation with victims’ email address books. I’d be very curious to find out the average number of nodes separating two people in a botnet.

If any Russian botnet masters are reading this, drop me an encrypted email, we can work something out!

My other idea for a creative, malicious virus or worm wouldn’t necessarily require a botnet. It seems to me that viruses typically target computer resources and data, so it would be novel to see a virus that targeted the human users behind those computers. You could write a virus that sent out emails designed to introduce acute social awkwardness. It would probably be possible to use a heuristic that combined data from a victim’s email contact list with public search results to identify certain types of people, then the virus could send out targeted emails.

Send long, heartfelt declarations of love to email contacts of the opposite sex: “I know you’ve probably never thought of me this way, but I’ve always loved you…”

Identify co-workers who have the emails at the same domain name: “Hey, about that project you asked me to work on: I went on kind of a bender this weekend, so I didn’t really get anything done…”

Extra-credit for .edu domains: “Professor _______, your ideas are laughable and you’re so boring I always sleep through your class.”

For bonus points, spot variations of “Dad” and “Mom” in a contact list: “Dad, I need to tell you, I’m running away to join a corporeal mime troupe. This is what I really want to do with my life.” / “Mom, I’m gay. I thought it was important for you to know.”

For added realism, the virus could be programmed to only send messages late on Friday and Saturday nights, when many suspiciously honest and poorly-typed emails are typically sent.

One person I shared this idea with commented that, “That would be the most evil computer virus ever!” Luckily for the world, my coding skills are nowhere near up to the task of actually writing such a virus. I’m probably not that evil, either.

However, I would like to see the malicious hackers of the world up their game a little bit. If you’re going to be evil anyway, at least be evil and clever! It’s not like they’re handing out extra-long jail sentences for creativity.

There’s some acknowledgment of German and Austrian hackerspaces, but we get sentences like, “German and Austrian hackers have been organizing into hacker collectives for years, including Metalab in Vienna, c-base in Berlin and the Chaos Computer Club in Hannover, Germany”

The author of this article is lumping together Metalab, founded in 2006, c-base, founded circa 1995, and CCC, founded 1981(ish?) as though they’re all similar sorts of places. Metalab is relatively recent and operates on a model very much like the American hackerspaces: it’s a platform, with dues-paying members and resources for projects, but nothing in the way of its own agenda or ideology. c-base is much older, predating the late 90s tech boom, and with a great deal in the way of history and self-created mythos surrounding it. CCC predates even the World Wide Web, transcends any one specific location or space (with chapters active in several German cities) and probably belongs alongside institutions like 2600 as founding members of the 1980s hacker culture.

It’s great to see hackerspaces getting mainstream exposure, but it would also be nice to see more recognition of the long history and broad geographic reach of the scene. Say, for starters, a specific mention of any hackerspace outside of the United States, Germany, or Austria. I’ve definitely encountered grumbling from some European hackers about the US-centric nature of coverage of hackerspaces, or of groups (hackerspaces.org sometimes included) pushing an “American” model for hackerspaces. This model includes a rented or purchased space, relatively expensive membership dues (Wired quotes $40 per month as the “starving hacker rate” at Noisebridge, while some of the more anarchist European hackerspaces either have no “members” at all, or charge dues on the order of €15 per year) and fancy equipment (NYC Resistor has their own high-powered laser cutter—which is, admittedly, totally awesome).

I realize that Wired is a US-based media source, so it makes sense that they’d go to American hackerspaces to do interviews and get quotes. I guess it’s just that, as an American traveling abroad, I’m quite sensitive about trying not to fall into the American stereotype of bungling into a situation I don’t understand, and telling people to do it my way. Americans are very much latecomers to the hackerspace scene. In fact, even at the point when I was first proposing this project, in late 2007, most of the American hackerspaces mentioned in the Wired article did not exist yet. During one of my Watson interviews, I was asked, “Why do you need to leave the United States to do this project?” and I answered (at the time, honestly) “Because the kinds of places that I want to visit simply are not in America.”

Don’t get me wrong, I’m thrilled to see these types of places springing up across my home country, I just think the Americans would do well to remember that they are essentially re-inventing wheel, here.

EDIT: Also, since this is pretty much the first time I’ve ever specifically written about hackerspaces in the United States, I think it’s appropriate to throw out a plug for the newly-founded Pumping Station One, in my hometown of Chicago. My friend Dave recently interviewed Eric Michaud, one of the founders.

Also, if people reading here find it irritating to click over to the other site, there’s no real reason I couldn’t just cross-post these things here, too. Let me know.

Later, I’ll try to write more about that (and the dozen other things I haven’t really properly written up), but in the meantime, here’s a video the Hamlab guys put together of a protest they organized outside the ruling political party’s headquarters. Based on what they told me, it sounds like under current Spanish law, downloading copyrighted material is not actually illegal, only uploading. I believe Canada has a similar legal situation. Anyway, there’s a proposal to change that, and they showed up to protest against it. When the camera pans around, you can really see how large the crowd is. I was surprised how many people they got out for their protest.

Thanks/blame for the subtitles goes to the Hamlab guys, not me.

In other news, tomorrow is my final day in Europe. I’m catching a 10 pm flight out of Madrid to Buenos Aires, Argentina. The flight takes like 13 hours or so, and I’m planning on spending at least part of that writing, so maybe I can get some longish blog posts again. I’m really excited, but also kind of nervous. I think it’ll be refreshing to be in a country where I at least sort of speak the language. I’m loving the ability to read signs here in Madrid. But it also feels a bit like starting my entire trip over. I do have a lead on some contacts in Buenos Aires from one of the hackers in Paris.

I was also thinking it would be quite amusing if any of my American friends who attend would bring some sort of small, strange gift to give to Johannes Grenzfurthner. You’ll recognize him as the loud, singing one wearing all black.

Examples of the kinds of things he might appreciate are: Chick Tracts, Burger King body spray, historical memorabilia from the German American Bund, a Kinko’s-bound collection of applied office art works (a.k.a. bored doodles) stolen off the desks of your coworkers, or Sarah Palin campaign buttons. But use your imagination, many of you are more creative than I am. If anyone goes to see the show, be sure to come back here and comment about it.

Right Claw South – The March 2009 Monochrom Tour:

• March 7: San Francisco (8 PM @ Soviet Special, Chez Poulet, 3359 Cesar Chavez)
• March 11: San Jose (9:30 @ Etech/LateTech, Fairmont Hotel)
• March 14: Seattle (8 PM @ Theatre4, 305 Harrison, 4th Floor)
• March 18: Chicago (7:30 PM @ Mercury Cafe, 1505 W Chicago Ave)
• March 19: St. Louis (3 PM @ Webster University, Dept. of Arts)
• March 19: St. Louis (9 PM @ to be announced)
• March 21: Brooklyn/NY (8 PM @ NYCResistor, 397 Bridge Street, 5th Floor)
• March 24: Boston (8 PM @ to be announced)

However, I was totally unprepared to encounter these two immutable principles of journalistic incompetence exemplified together in a single article, like some horrible Orthrus of fail.

Twice the facepalm for twice the fail.

Right from the headline, “World’s Greatest Hacker Says Obama’s Blackberry Can Be Breached,” you can be pretty sure this article is going to be terrible.

Obviously, there’s no such thing as a perfectly secure system. With some reservations, if it was made by humans, it can be broken by humans. But, more importantly, “Who is this World’s Greatest Hacker?” you ask. Why, it’s self-promoting “security expert” and author, Kevin Mitnick of course! The fact that he got caught and went to jail for 5 years might undermine his claim to the title of ‘World’s Greatest’, but we’ll leave that be for now.

What does the überhacker propose as a method for attacking the presidential PDA?

Step 1: “If I was [WERE!] the attacker, I would look to Obama’s close circle of friends, family and associates and try to compromise their machines at home,” Mitnick said. “The objective would be to get Obama’s e-mail address on the BlackBerry.”

So you begin by hacking an ordinary, non-governmental, desktop computer that happens to belong to a friend of Obama’s close enough to be on the much-ballyhooed email whitelist. That sounds like a reasonable starting point.

Step 2: Once armed with Obama’s coveted e-mail address, a hacker could theoretically send an e-mail to Obama in an attempt to lure him to a Web site that has previously been breached in order to transfer “malicious code,” Mitnick said.

Ok, now we reverse-engineer the…huh? WHAT? That’s it? That’s the entire plan? Get Obama’s email, send him a shady phishing link and pray the President clicks it?

For his sake, I’m hoping Mitnick had a lot more (better) ideas that the Fox writer omitted. Because as it stands, his entire mega-hacker strategy is predicated on the idea that Obama is less careful on the internet than my grandma. That is Mitnick’s forté, though. He claims that all of his illegal hacks were actually accomplished through social engineering (a.k.a ‘lying to people until they give you their password’) alone.

Luckily for Mitnick, he’s not the only one on board with this moronic plan: Chris Soghoian, a student fellow at Harvard University’s Berkman Center for Internet and Society, agreed that the most likely route to Obama’s BlackBerry would be to trick the president into visiting a pirated Web site.

“These are attacks when you visit a Web site, and within seconds, it hacks into your computer and forces it to download viruses,” Soghoian said. “In many cases, people get infected by using out-of-date browsers.”

Oh, of course! So not only are we assuming that Obama blindly clicks links like an AOLer circa 1997 (“Are you the President of the USA? Want to rein in Iranian nuclear ambitions? Click here for hot foreign policy and penis enlargement tips!”) but we’re counting on him to be running IE6 (or the mobile equivalent) when he does it.

The whole article reads almost like a conscious self-parody. Right before offering his foolproof 2-step presidential-hacksassination plot, Mitnick is quoted warning that, “It’s a long shot, but it’s possible. You’d probably need to be pretty sophisticated, but there’s people out there who are.”

Also noteworthy is the hilariously petty and petulant tone of the article overall: “Despite warnings from his advisers, the president insisted on keeping his beloved PDA, which now has specially designed superencrypting security software.”

If he loves it so much, why doesn’t he just marry it? Who does this Obama think he is, with his fancy emailing and PDAs? Is he too good to send a telegram, like his hero Abe Lincoln?

It’s a pretty cool opportunity, and I’m excited. The hackerspaces.org people’s interests dovetail very well with the focus of my project. If you’re interested, you can read my introductory post, although if you’ve been following this blog regularly, it will contain approximately zero new information for you.

I should say, however, that I’m not entirely without reservations. One of the big goals of the Watson Fellowship is to promote independence. To that end, I’m not supposed to be affiliated with any academic institution, take any paid jobs, or even structured volunteer posts. I don’t feel like unpaid blogging falls into any of the verboten categories (especially since I’ve already been writing about my experiences). But I am a little bit concerned that even being tangentially associated with hackerspaces.org could compromise that independence.

As far as I can tell, hackerspaces.org is mostly viewed in a positive light in the hacker community, but it’s not entirely uncontroversial. There are some hackers who instinctively resist any form of listing, categorization and public exposure. There are others who essentially agree with the site’s mission, but criticize it for promoting what they see as a one-size-fits-all approach to hacker spaces (“This is how you make a hacklab”). I’ve also heard grumbling about a supposed Amero-centrism, which I find sort of ironic given that they’re based in Austria. It is fair to point out that many of the most active participants on the hackerspaces.org conference calls came from American hacker spaces. Monopolizing conversations is kind of an American specialty, apparently.

I’m sure that blogging for hackerspaces.org will be a great chance to get in touch with more hackerspaces and meet more interesting individuals. At the same time, there could be a tradeoff where people who don’t like hackerspaces.org are less willing to talk to me. Basically, I want to make sure I can approach the people I meet as myself, an individual, and not as a representative of, or a traveling envoy from, hackerspaces.org.

I went grocery shopping and discovered that while you can get Campbell’s soup in Sweden, you can only get mushroom, tomato and asparagus; sadly, not chicken noodle. Also, the cans are weirdly small and metric. Every company in the world seems to round down to the nearest metric size.

I promise this story goes somewhere (not necessarily anywhere interesting).

What could this be?

I settled on buying a couple cans of Campbell’s soup, for reasons of homesickness, and also some Swedish(probably?)-brand chicken soup for reasons of actual sickness. The Campbell’s soup helpfully comes with a little pull-tab for removing the lid, but not so the Knorr-brand (Knorr may actually be the Swedish word for “soup” and not a brand name, it’s slightly ambiguous).

I spent a fair amount of time searching through the unfamiliar kitchen, which contains three (3!) garlic presses but zero obvious can openers. I finally settled on the oddly shaped flange of metal pictured above as the most promising can-opener-like object.

By wedging the side notch against the rim of the can and levering the “tooth” part against the top, it’s possible to produce a puncture. But then you’re sort of stuck. There’s no way (I could find) to maintain the pressure, and the edge isn’t sharp enough to allow you to cut your way around the can. I just repeated the puncturing procedure like 20 times until I’d gone most of the way around and could peel back the lid. It took me about 10 minutes, but the payoff was a tasty bowl of soup.

Example (Yes, yes, I know there's a pull-tab!)

I’m still not really sure how to feel about this outcome (obviously, ‘less hungry’ was a first). Either I was marginally clever in improvising a decent way to open a can without a can opener, or I was incredibly stupid at figuring out how to use a piece of technology as simple as a can opener. Does anyone out there in the internet have any idea whether the metal thing is a can opener? If it’s not, what else is it? For the record, the Swedes who own the maybe-opener are uncertain themselves.

In any case, the whole subject of trying-to-open-things-with-other-things-that-weren’t-designed-for-opening-them is particularly relevant to me, since I’ve been trying to pick up lockpicking as a hobby.

Lockpicking is actually a fairly popular hobby among hackers. It appeals to many of the same sorts of impulses: analytic problem-solving, a desire to understand the inner workings of a system, curiosity about whether that system can be exploited. The canonical document on the subject is the MIT Lockpicking Guide (although MIT has been trying to disassociate itself). I read it a couple years ago, and again in the last few weeks. It’s an excellent introduction to the subject, and really drives home the point that lockpicking is at least at much a mental craft as a physical one.

In order to be able to open a lock, you really have to be able to reconstruct in your head what’s going on inside the lock. This is the aspect of lockpicking that’s kind of exciting to me, the idea of possessing some arcane knowledge that’s in and of itself powerful and slightly dangerous.

What's going on in there?

At 25C3, there was an entire section of tables devoted to lockpicking. They had tools you could borrow and lots of different locks to experiment with. They also held several workshops to teach participants how to open different kinds of locks: padlocks, door locks, handcuffs, etc. I went to one of the workshops, but I’m still very much a novice. I think I understand the theoretical underpinnings, but there’s also a tactile knack that I have not come close to developing yet.

The Research Department hacklab here in Malmö has their own nice collection of locks. I borrowed a few and poking at them has been a good way to pass the time while I was sick. So far, all I can do is set one or two pins, not very close to opening any of the locks. I’m curious whether there will be some sort of “AHA!” moment where I get the feel for it, or if it’s one of those things where you just very gradually improve at it.

Locks, locks everywhere