Interesting Wired article.

On one hand, his alleged justification:

But to Tobias, pissing off The Man isn't the point, not entirely. Nor is it, entirely, to make himself famous or rich — not that he's allergic to either outcome. The point, he says, is to "make [stuff] better." Tobias thinks of himself as a humble public servant. When he attacks the Kryptonite bike lock or the Club (or those in-room safes at Holiday Inn or Caesars Palace), he's not a bad guy — he's just Ralph Nader with a slim jim, protecting consumers by exposing locks, safes, and security systems that aren't actually locked, safe, or secure. [....]

Tobias shrug[s] off [...] concerns, along with the hate mail. Scaring citizens to attention is part of his educational program. "Do you really think ignorance will keep you safe?" he asks. "Is it even an option?"

On the other hand, when a lock came to market which avoided many of the vulnerabilities Tobias had already exposed:

Tobias saw potential in Bluzmanis — and a possible partner. By July 2006, the two were meeting regularly in the back of a Miami locksmith shop, hunting for the Medeco's vulnerabilities... The lock-cracking quest took on the intensity of a recurring fever dream as night after night they employed paper clips, needle-nose pliers, a plane sander, safe-deposit key blanks, plastic sheets, lock-picking tools, tension wrenches, and lots and lots of paper. They divided the Medeco3 mechanism into a series of problems, then devised theories to attack each in order.

It appears the guy's deluded or dishonest about his own motivations — and thus, most likely, impact. I understand the theory: there are a bunch of bad guys out there who can open your locks in some simple way, and we're just ignorant. Expose the vulnerability, get the public scared, they demand upgrades, and ta-da, we're living in a safer world.

Except the world doesn't work like that, and, apparently, neither does Tobias. Look at his work on the Medeco3 lock: here's a lock which, as far as we know, is actually fairly secure — tellingly, even Tobias apparently didn't know of any obvious vulnerabilities. So it wasn't the case that there were a bunch of thieves who were already cracking them, and lock purchasers were just blithely unaware of the real, existing risk.

Instead, Tobias set out to work really hard to figure out how to crack it. And, when he finally (meaning it was far from obvious) figures out how, he notifies the company, and demands they publicly admit the vulnerability. Unsurprisingly -- for reasons both good (they don't want to alert thieves) and bad (disappointed customers, shame) they don't want to go public with the information.

So what does Tobias do in response? I'm sure you've guessed by now...

Tobias wrote another encyclopedic manual, called Open in Thirty Seconds, and in 261 excruciatingly detailed pages, he and Bluzmanis explained exactly how they exploited the Medeco vulnerabilities — and exactly how you could exploit them, too. They spelled out not only picking and bumping attacks but other Medeco3 hacks as well and crowned the work with a cheeky introduction "thanking" Clyde Roberson of Medeco for "making this possible."

Let's review: This is, by Tobias's own admission, the best lock in the world. Tobias is one of the smartest and most obsessed locksmiths on the planet. He certainly is not representative of your typical, or even high-level, criminal. (Much less given that he had to work with another exceptionally brilliant locksmith, for months, on this particular problem.)

So now what are all Medeco lock-owners supposed to do? Upgrade? To what? While he's exposing Medeco to shame, he's also exposing the rest of us to very real risks which did not exist before he published the information. He's not protecting us from the bad guys, he's arming the bad guys against the rest of us.

The same goes even for more mundane situations like bump-keyed locks. Imagine some woman lives in an apartment with a vulnerable lock. Her place can be entered quickly and easily. She could be raped, or her valuables, or identity, stolen. So what: she's raising a kid on her own, working the night shift, and supposed to also be petitioning the landlord — who's a giant company — for better locks? To what avail? Are they likely to upgrade all their locks? Fat chance. And even if they, did, to what? A Medeco lock?

Yes, some locks will be upgraded if he makes the information more public. But it's also true that more people will know how to break the lock. What's the numerical trade-off there? And, more importantly, who is protected first? The rich and powerful. Who is left exposed longest? The poor and weak.

And what of his motives? Yes, I know, Tobias is shocked and enraged that Medeco didn't take him seriously. (He may know locks, but he seems to know very little about human nature.)

Sitting across from Tobias at dinner, protecting my food from flying spittle, I don't really need to ask if he's pissed off. But I do anyway. "What?" he shrieks, alarming the waiter. "Of course I'm pissed off! Everybody should be pissed off! It's not about me. It's about what these locks protect..."

Yet it clearly isn't about "what those locks protect." He himself admitted they were the best in the world. There's nothing for exposed customers to upgrade to. In such a situation, by publicly revealing the exploit, he showed he's not at all concerned about what those locks protecting. Not. One. Iota.

The irony here is that while Tobias is furious that Medeco was thinking only of themselves, he himself apparently has the exact same blind spot.

I want to be clear: I'm not against white-hat cracking, if handled the right way. Richard Feynman, for example, used to pick the file cabinet locks at Oak Ridge -- and then notify the administration. But when they didn't fix the problem, he didn't publish a manual on it, and notify the public (and thus our enemies) of our reliance upon vulnerable file cabinets to store nuclear secrets.