This reminded me of Matt Blaze's work on physical lock security back in 2003. He found a method of deriving the "master key" for a building (one key that opens all locks) from a single example: https://www.mattblaze.org/masterkey.html
When he published about this he was bombarded with messages from locksmiths complaining that they all knew about this and kept it secret for a reason! https://www.mattblaze.org/papers/kiss.html
It was a fascinating clash between computer security principles - disclose vulnerabilities - and physical locksmith culture, which was all about trade secrets.
> On July 7, the company dismissed the lawsuit against McNally instead.
> Proven also made a highly unusual request: Would the judge please seal almost the entire court record—including the request to seal?
Tough at first then running away with the tail between their legs. Typical bullying behavior.
> but Proven complained about a “pattern of intimidation and harassment by individuals influenced by Defendant McNally’s content.”
They have to know it's generated by their own lawsuit and how they approached it, right? They can't be that oblivious to turn around and say "Judge, look at all the craziness this generated, we just have to seal the records!". It's like an ice-cream cone that licks itself.
> the case became a classic example of the Streisand Effect, in which the attempt to censor information can instead call attention to it.
A constant reminder to keep the people who don't know what they are doing (including the owners of the company!) from the social media.
I once worked for a company that kept its passwords locked in a safe. One day, all other copies of the password were lost, and they needed it, but the safe's key could not be found.
They expensed a sledgehammer and obtained the password through physical modification of the safe using a careful application of force. Some employees complained that meant the safe wasn't... well, safe.
The security team replied "Working as Intended" - no safe is truly safe, it's just designed to slow down an attacker. At that moment, I was enlightened.
> Under questioning, however, one of Proven’s employees admitted that he had been able to duplicate McNally’s technique, leading to the question from McNally’s lawyer: “When you did it yourself, did it occur to you for one moment that maybe the best thing to do, instead of file a lawsuit, was to fix [the lock]?”
Sometimes a single question tells you how the entire case is going to go.
Back in 2007, I published the first YouTube bypass of the Master Lock #175 (very common 4-digit code lock), using a paperclip.
After the video reached 1.5M views (over a couple years), the video was eventually demonetized (no official reason given). I suspect there was a similarly-frivolous DMCA / claim, but at that point in my life I didn't have any money (was worth negative) so I just accepted YouTube's ruling.
Eventually shut down the account, not wanting to help thieves bypass one of the most-common utility locks around — but definitely am in a position now where I understand that videos like mine and McNally's force manufacturers to actually improve their locks' securities/mechanisms.
It is lovely now to see that the tolerances on the #175 have been tightened enough that a paperclip no longer defeats the lock (at least non-destructively); but thin high-tensile picks still do the trick (of bypassing the lock) via the exact same mechanism.
Locks keep honest people honest, but to claim Master's products high security is inherently dishonest (e.g. in their advertising). Thievery is about ease of opportunity; if I were stealing from a jobsite with multiple lockboxes, the ones with Master locks would be attacked first (particularly wafer cylinders).
The most absurd thing is the original video response from the company was good, and with a very compelling argument: their customers never saw shimming in the field. Their user base don't need shimming resistance: security needs to be adequate, not perfect. And they follow-up by presenting options about people requiring the lock to be shim-proof.
Granted, in this day and age, it's a disgrace to still make locks that can be shimmed. Especially when the shim-proof alternatives they show just have an additional notch to catch the shim.
This guy shims a $100+ lock in 10 seconds with a liquid death can, all without speaking in the video, just replays and then destroyed their claims and GTFO. Absolutely masterful.
If you don't know him already, I highly recommend videos by LockPickingLawyer — he routinely destroys bogus claims of various companies within seconds. It's quite entertaining to see how little security you actually get from most locks.
This reminds me of the CEO of a cyber security company that challenged Anonimous https://en.wikipedia.org/wiki/HBGary. If you work for any kind of security company, do not ever ever ever challenge any kind penetration specialist. Everything is hackable, it is only a matter of cost vs reward, but when you challenge someone that goes out of the window.
If a company’s first reaction to a flaw is to sue instead of fix it, the problem probably goes beyond the lock itself. A real security company would appreciate someone pointing out a weakness rather than trying to take the video down. That kind of openness would actually make people trust them more.
Once came back to work after 4 week holidays (not USA) and realized I forgot the 3 digit code to my locker.
But I remembered that friend's locker (he was on holidays then) used US police code for murder. (Police in US use codes for crimes when communicating on the radio).
I googled the code, used friend's locker for the day, and by lunch the next day I've bruteforced through enough codes to learn that my code was the embarrassing 420.
If anyone is interested in the legal side, I'd also recommend 'Runkle of the Bailey' who has a series on this saga but with a focus on the legal shenanigans [0]
I wonder how many stories like this are caused simply because a corporate lawyer is looking for some work to do, and maybe to meet some kind of internal KPI.
Someone : “Sucks to see how many people take everything they see online for face value,” one Proven employee wrote. “Sounds like a bunch of liberals lol.”
The company : Proven also had its lawyers file “multiple” DMCA takedown notices against the McNally video, claiming that its use of Proven’s promo video was copyright infringement.
When did facts and enlightenment started to be for "liberals lol" ?
Freedom of speech based on facts should be universal.
It's probably a good thing for Proven that they didn't get into this dispute the LockPickingLawyer instead. He'd wind up owning their company in the counter-suit...
Suing someone because your product doesn't work correctly is diabolical. Instead of filing a lawsuit, they should have acknowledged the issue and released an upgrade to their locks.
Someone seriously needs to be taken to task for filing a false DMCA. DMCA is just another term for SLAPP these days. If anyone is a lawyer, they could still be despite retracting the case?
> Lee’s partner and his mother both “received harassing messages through Facebook Messenger,” while other messages targeted Lee’s son, saying things like “I would kill your f—ing n—– child” and calling him a “racemixing pussy.”
Some people always go too far, undermining the good cause of the others
LPL (Lock Picking Lawyer) has been making a fool of MasterLock and other physical security products/marketing for many years.
Guess ML realizes it’s best to be humiliated online where a small subset of population would never buy their products anyways. Rather than humiliate themselves in public like Proven Industries did (Barbara Streisand effect?)
I am concerned about the public reacting aggressively agaisnt the lock company owner amd his family. The guy is definitely a toxic bully, but he was indeed violently harrassed by filing a lawsuit, however unjust it was.
The correct support for a just cause must have been constructive: providing financial support for the defendant, public manifestation campaign, professional lobbying, etc
Although this time I agree with the defendant cause, the response by the public was as toxic bullying as the plaintiff, only stronger.
Um...shouldn't Proven just hire Trevor McNally as a consultant or heck, make him a partner? I mean...can you imagine the next level reputation they'd have if they can adapt and make a Trevor-proof lock?
These kinds of results seem all too common. Like, why? Are companies just too used to using their general business attorneys for it, and those attorneys are just ignorant? Hungry for extra billable hours?
> In the end, Proven’s lawsuit likely cost the company serious time and cash—and generated little but bad publicity.
There's no such thing as bad publicity. People say this for a reason. It's true. I'm willing to bet that their sales have only increased since this started.
10M people watched a YouTuber shim a lock; the lock company sued him – bad idea
(arstechnica.com)1481 points by Brajeshwar 27 October 2025 | 578 comments
Comments
When he published about this he was bombarded with messages from locksmiths complaining that they all knew about this and kept it secret for a reason! https://www.mattblaze.org/papers/kiss.html
It was a fascinating clash between computer security principles - disclose vulnerabilities - and physical locksmith culture, which was all about trade secrets.
> Proven also made a highly unusual request: Would the judge please seal almost the entire court record—including the request to seal?
Tough at first then running away with the tail between their legs. Typical bullying behavior.
> but Proven complained about a “pattern of intimidation and harassment by individuals influenced by Defendant McNally’s content.”
They have to know it's generated by their own lawsuit and how they approached it, right? They can't be that oblivious to turn around and say "Judge, look at all the craziness this generated, we just have to seal the records!". It's like an ice-cream cone that licks itself.
> the case became a classic example of the Streisand Effect, in which the attempt to censor information can instead call attention to it.
A constant reminder to keep the people who don't know what they are doing (including the owners of the company!) from the social media.
They expensed a sledgehammer and obtained the password through physical modification of the safe using a careful application of force. Some employees complained that meant the safe wasn't... well, safe.
The security team replied "Working as Intended" - no safe is truly safe, it's just designed to slow down an attacker. At that moment, I was enlightened.
Sometimes a single question tells you how the entire case is going to go.
After the video reached 1.5M views (over a couple years), the video was eventually demonetized (no official reason given). I suspect there was a similarly-frivolous DMCA / claim, but at that point in my life I didn't have any money (was worth negative) so I just accepted YouTube's ruling.
Eventually shut down the account, not wanting to help thieves bypass one of the most-common utility locks around — but definitely am in a position now where I understand that videos like mine and McNally's force manufacturers to actually improve their locks' securities/mechanisms.
It is lovely now to see that the tolerances on the #175 have been tightened enough that a paperclip no longer defeats the lock (at least non-destructively); but thin high-tensile picks still do the trick (of bypassing the lock) via the exact same mechanism.
Locks keep honest people honest, but to claim Master's products high security is inherently dishonest (e.g. in their advertising). Thievery is about ease of opportunity; if I were stealing from a jobsite with multiple lockboxes, the ones with Master locks would be attacked first (particularly wafer cylinders).
Granted, in this day and age, it's a disgrace to still make locks that can be shimmed. Especially when the shim-proof alternatives they show just have an additional notch to catch the shim.
I wonder if anybody tried suing him…
https://www.youtube.com/watch?v=NadPAE6BDbA
It is interesting to see that these companies still don't know about the Streisand Effect or they choose to think that it won't happen to them.
For those interested in the actual case, here's some deeper coverage of this bruhaha including how Lee may have perjured himself during deposition.
But I remembered that friend's locker (he was on holidays then) used US police code for murder. (Police in US use codes for crimes when communicating on the radio).
I googled the code, used friend's locker for the day, and by lunch the next day I've bruteforced through enough codes to learn that my code was the embarrassing 420.
[0] https://www.youtube.com/watch?v=y3WVme9LAcQ&list=PLo0bMOObfk...
Someone : “Sucks to see how many people take everything they see online for face value,” one Proven employee wrote. “Sounds like a bunch of liberals lol.”
The company : Proven also had its lawyers file “multiple” DMCA takedown notices against the McNally video, claiming that its use of Proven’s promo video was copyright infringement.
When did facts and enlightenment started to be for "liberals lol" ?
Freedom of speech based on facts should be universal.
Another way of responding to this is… to improve the lock?
Could even explore a positive collaborative social media campaign promoting the new lock.
Ship has sailed now…
https://m.youtube.com/@provenindustries8236
Gotta admit its entertaining, though.
https://www.courtlistener.com/docket/70036390/proven-industr...
God Bless McNally
Some people always go too far, undermining the good cause of the others
Guess ML realizes it’s best to be humiliated online where a small subset of population would never buy their products anyways. Rather than humiliate themselves in public like Proven Industries did (Barbara Streisand effect?)
The correct support for a just cause must have been constructive: providing financial support for the defendant, public manifestation campaign, professional lobbying, etc
Although this time I agree with the defendant cause, the response by the public was as toxic bullying as the plaintiff, only stronger.
That’s are exactly the people who usually break locks. All others fail on simple locks too.
I'd buy it.
There's no such thing as bad publicity. People say this for a reason. It's true. I'm willing to bet that their sales have only increased since this started.