Back to previous post: “Democracy! Whiskey! Sexy!”

Go to Making Light's front page.

Forward to next post: The What-Me-Worry President

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

August 7, 2006

The Cunning Old Bastard Has Fitted a Yale
Posted by Jim Macdonald at 12:42 PM *

My name is Chubb, that makes the patent locks:
Look on my works, ye cracksmen, and despair.

Imagine my surprise to discover that the general solution to the pin-tumbler lock has been discovered. That includes the locks on your car, on your house, on your mailbox … all of ‘em.

That solution is the “bump key.” What it is: a key blank with all the pin positions cut down to their lowest points. This is placed in the lock, put under a bit of torsion, and the end of the key struck smartly with an object, say the handle of a screwdriver. The key then turns, the lock opens.

Unlike standard lockpicking (which takes skill and practice, and leaves detectable marks on the lock), 80% of folks who try this, folks with no experience with lockpicking, can manage to do it on the first try leaving no forensic evidence that the lock was opened by anything but a legitimate key. And it’s quick: about as fast as the homeowner using that legitimate key.

All you need is a bump key that’ll fit in the keyhole to start with. I’m told, and I’m foolish enough to believe, that you can buy ‘em over the ‘net. Given the proper key blank and a file you can make one yourself at home. Subdivisions where all the locksets were bought from the same contractor and thus have the same keyblank are particularly vulnerable; every house can be opened using just one bump key.

Here’s a paper (.pdf) explaining how it works; here’s a video of a lad demonstrating the technique.

Comments on The Cunning Old Bastard Has Fitted a Yale:
#1 ::: elise ::: (view all by) ::: August 07, 2006, 12:57 PM:

Oh! They're using something like the technique of the lockpick from Morrowind "Oblivion."

#2 ::: Xopher ::: (view all by) ::: August 07, 2006, 01:01 PM:

That's pretty bad. Wow. Our outside locks are more sophisticated, but all our apartment doors are pin tumblers. That's bad news.

I have a security system, but still.

#3 ::: Fragano Ledgister ::: (view all by) ::: August 07, 2006, 01:35 PM:

This is bloody scary. It doesn't work against double bolting, I don't think, but that's no help if nobody's home.

#4 ::: Sarah S ::: (view all by) ::: August 07, 2006, 01:49 PM:

Alas for the romance of Raffles, Jimmy Valentine, and Bernie Rhodenbarr....

#5 ::: Josh Jasper ::: (view all by) ::: August 07, 2006, 02:03 PM:

Time for me to find out how much a keypad deadbolt will cost...

#6 ::: Lawrence Evans ::: (view all by) ::: August 07, 2006, 02:16 PM:

Standard lockpicking does not leave marks, not if you're any good at it.

This "bump key" idea is an improvement on the old lockpicking gun that's in every locksmith's toolbox, it's not entirely new, but it is definitely interesting. It eliminates the need for a turning wrench, for one thing. Not to mention that a bump key would be easier to hide and harder to identify as "burglary tools" should one be searched.

#7 ::: Greg London ::: (view all by) ::: August 07, 2006, 02:18 PM:

I think for someone to have a "bump key" is equivilant to them having a lockpick, which means you're not going to stop them because of the lock you use, but because of whether or not your place presents an opportunity for them. If a bump key is a key ground down to the shortest points, then you'll still need a bump key for every brand of lock, or look for locks that is the same brand as the bump key you have.

#8 ::: DRR ::: (view all by) ::: August 07, 2006, 02:21 PM:

The obvious solution is to never own anything worth stealing.

#9 ::: Sarah S ::: (view all by) ::: August 07, 2006, 02:24 PM:

DRR

As long as I own my 4'11" and 125 pounds, I've got something worth stealing...or at least, something worth protecting.

#10 ::: Stefan Jones ::: (view all by) ::: August 07, 2006, 03:13 PM:

Damn. If my dog reads this, she's going to demand a raise.

#11 ::: Dave Bell ::: (view all by) ::: August 07, 2006, 03:30 PM:

And just how often does a burglar use a lockpick?

#12 ::: Christine ::: (view all by) ::: August 07, 2006, 03:40 PM:

Wow, I am SO glad that I talked my husband out of changing our lock. He wanted a 'modern' lock. The house has the old deadbolt type lock that takes a skeleton key. It's the original lock, and the house was built in late 20's or so.

Just another reason I like my locks.

#13 ::: Lila ::: (view all by) ::: August 07, 2006, 03:43 PM:

I am SO glad I live in a house with 4 dogs. They aren't an absolute deterrent, but they do present a considerable inconvenience.

#14 ::: James D. Macdonald ::: (view all by) ::: August 07, 2006, 03:47 PM:

And just how often does a burglar use a lockpick?

Beats the heck out of me. Given that lockpicking is a skill and requires practice, less often than it would if opening a locked door required little skill or practice.

Quoting, now, from Burglary Prevention Advice:

The first step is to "harden the target" or make your home more difficult to enter. Remember, the burglar will simply bypass your home if it requires too much effort or requires more skill and tools than they possess.

Skill-and-tool requirements have just been radically reduced.

See also http://www.youtube.com/watch?v=7Uv45y6vkcQ (in Dutch, with subtitles).

#15 ::: James D. Macdonald ::: (view all by) ::: August 07, 2006, 04:38 PM:

Another presentation on the technique:

http://deviating.net/lockpicking/08.01-bump_keying.html

Warning: the animations are huge and take a long time to download. On the positive side, at the end of the presentation they give the names and model numbers of locks that include anti-bumping features.

Here are the most important/interesting pages:

http://deviating.net/lockpicking/08.14-importance.html
http://deviating.net/lockpicking/08.16-countermeasures.html
http://deviating.net/lockpicking/08.25-anti-bump.html

#16 ::: Martin Wisse ::: (view all by) ::: August 07, 2006, 05:14 PM:

I see James beat me to the Dutch video, which is very good in explaining the technique and dangers. It was originally made for the main Dutch late night news programme.

#17 ::: Ulrika O'Brien ::: (view all by) ::: August 07, 2006, 05:48 PM:

In the initial document I'm not seeing any reference to Medeco locks. I would assume this technique wouldn't work on them for the same sorts of reasons that lockpicks don't. Have any specific information, Jim?

#18 ::: Linkmeister ::: (view all by) ::: August 07, 2006, 06:07 PM:

"Damn. If my dog reads this, she's going to demand a raise."

Mine already has. I negotiated it down to no more than one Sentinel tab per month, but she refused to give up the one egg per week.

#19 ::: David Dyer-Bennet ::: (view all by) ::: August 07, 2006, 06:07 PM:

The key illustrated is very clearly *not* ground down to a simple flat line. There's probably something moderately special about the height of the bumps. And it's probably relevant that he hits the *end* of the key driving it in (and probably by bounce, back out some).

Still a cool technique; though I've never heard of a real-world house burglary that involved lock-picking.

I did some amateur lock-smithing in college, and found on my first try I could pick the decent pin-tumbler locks on the dorm doors, for example. It was also fascinating to discover how pin-tumbler locks work, and how master keys work, and how to rekey locks.

I thought car locks were "disk tumbler" rather than pin tumbler, whatever that means? Aren't the symmetrical double-sided keys diagnostic of that?

#20 ::: David Dyer-Bennet ::: (view all by) ::: August 07, 2006, 06:40 PM:

Ah, deviating.net has demystified the key grind, and clarified things considerably.

#21 ::: James D. Macdonald ::: (view all by) ::: August 07, 2006, 06:52 PM:

I'm not personally any kind of expert on locks, Ulrika. Here's what Medeco has to say about their anti-picking protection (I would hope, however, that they don't say everything):

A special elevating and rotating pin tumbler design, along with false slots on the bottom pins, mushroom top pins and a sidebar mechanism, work together, to provide superior pick resistance.

http://deviating.net/lockpicking/08.16-countermeasures.html tells us "Medeco is impervious, but remember Assa V10 vulnerability."

Another security feature of Medeco that would slow down bumping is that their keyblanks are proprietary: you can't get 'em at any corner hardware store, only direct from their factory (not that that would slow down someone with a complete machine shop, but we aren't thinking about guys with complete machine shops, we're thinking about garden-variety burglars).

The Assa V10 vulnerability is this:

If it's the case that every lock shop has just one sidebar permutation, then the Scorpion lock has the same vulnerability to bumping as the ASSA twin. You would simply buy a lock from the shop that provided the lock you want to bump (i.e. the dealership in the same city), and then make a bump key from that. The sidebar cuts will match, and it's then just a case of bumping the pin columns.

Medeco locks are also mentioned in this report (.pdf): http://www.security.org/bumping_040206.pdf (The entire report is worth reading.)

#22 ::: Giacomo ::: (view all by) ::: August 07, 2006, 06:58 PM:
Still a cool technique; though I've never heard of a real-world house burglary that involved lock-picking.
In several European countries, locksmiths are usually required to register with the Police. This helps keeping skilled lockpickers work in smaller markets with higher margins, i.e. they are not going to risk jail time to attack average properties without knowing full well that the return on investment will be big enough. It seems like a paradox, but if you secured your house and somebody picked your locks, the probability that the police will find the criminal is much higher than if somebody just smashed your door with an axe.

Average properties are usually targeted by low-scale burglars that can't be bothered to learn lockpicking. Close your window and secure your backyard, and 90% of them won't even look at your house (unless you leave on your doorstep, for days, several big cardboard boxes coming from expensive electronic equipment you just bought... as someone I know once did). Somehow, I don't think that this trick will change the situation considerably.

#23 ::: James D. Macdonald ::: (view all by) ::: August 07, 2006, 07:25 PM:

The biggest problem I see is that any bozo in Apartment 101 who turns his key into a bump key now has access to every apartment in the building. Even if he moved away and the lock to Apartment 101 is subsequently changed, he'd still have 100% access. Apartment houses seldom put $200 high-security locks in their individual doors.

Or someone could make a bump key from a Kwikset key (buy 'em at any hardware store and get a lock to practice on at the same time!), then roam around until he spotted a Kwikset lock on a house.

Unlike a set of lockpicks (or a crowbar) if the key is just one of many on a keyring it might not instantly be recognizable as burglar's tools.

#24 ::: Greg London ::: (view all by) ::: August 07, 2006, 07:43 PM:

Apartment 101

I would guess/predict that within ten years, electronic locks will become standard on apartment buildings. They let landlords lock out people who have been evicted, but let everyone else into the main door. And they let maintenence people access to all rooms but can keep a record of it in case there's trouble, or restrict them from various places. Plus you can cancel an individual key if someone loses it, without changing the front door lock, and giving all the tenets new keys to the front door.

The only real problem that needs be overcome is figuring out a way to power the lock in case of a blackout. and building a UPS into the wall with a panel for the battery would probably give a weeks worth of power. having hand-cranked generators would be an alternative.

Anyway, when that happens, key bumping won't be a problem. There will be equivalent problems, probably, but bumping won't be one.

I'd like to get electronic locks for my house, but I dont think the technology is quite there yet.

#25 ::: Paula Helm Murray ::: (view all by) ::: August 07, 2006, 10:03 PM:

Our main door has a key that we have to go to a specific locksmith in town to duplicate, plus it's persnickity, sometimes it won't work unless you hold your mouth right and pull the door the right way.

I suspect the door handle/lockset is original to the house (1912) and that the cylinder may have been replaced in the 20s-30s (my mom says it looks like they added part of the house on in the 20s, I have no proof but her parents remodeled houses as an amusement after they got the kids out of the house).

I'd hate to try to replace the door handle, because it goes with the door, which is huge, oak and has two leaded glass sidelights. One of my aesthetic additions I've gotta go look for is that the center pane is currently plain glass with curtains, I want to go to our architectural salvage place and find a same-size stained glass panel I can hang behind the plain glass OR replace the stained glass.

In my neighborhood, most burglaries are crimes of opportunity, mostly in empty houses. We have a large, goth human watchdog living on the first floor plus an alarm system. Because our lawnmower got stolen out of the garage some time this last week or so, I'm going to look at putting in a motion-sensor light and have Jim make a nice sign that says "Smile, you're on video camera!" to put on the garage. (apparently the garage door didn't latch while he was going in and out smoking meat for Worldcon...)

#26 ::: James D. Macdonald ::: (view all by) ::: August 08, 2006, 02:17 AM:

Christine, while a warded lock isn't vulnerable to bumping, it's a very vulnerable lock in its own right. Please upgrade. At the very least add a decent modern lock.

#27 ::: Larry Brennan ::: (view all by) ::: August 08, 2006, 02:55 AM:

Most locksmiths have Medeco locks on their own doors. If you look at the various sources on this thread, their locks are reasonably secure. Certainly more secure than the doors their mounted in.

(No business relationship, just don't want to see anyone get burgled needlessly.)

#28 ::: Pete Darby ::: (view all by) ::: August 08, 2006, 04:03 AM:

Apart from anything else, you'll have me muttering Bastity Chelt to myself all day now...

http://www.geocities.com/dschutze/wwsongs/bastity_chelt.htm

#29 ::: Peter Erwin ::: (view all by) ::: August 08, 2006, 06:00 AM:

I would guess/predict that within ten years, electronic locks will become standard on apartment buildings. They let landlords lock out people who have been evicted, but let everyone else into the main door. And they let maintenence people access to all rooms but can keep a record of it in case there's trouble, or restrict them from various places. Plus you can cancel an individual key if someone loses it, without changing the front door lock, and giving all the tenets new keys to the front door.

What you're describing sounds similar to what some hotels are using today. Which is not necessarily enouraging...

Anyway, when that happens, key bumping won't be a problem. There will be equivalent problems, probably, but bumping won't be one.

It may get worse. Cracking attacks against physical locks requires specific knowledge of how alter a physical device (the key blank) and machinery to do so. Cracking attempts against electronic locks may only require downloading the latest code and password dictionaries to update your fake keycard. From this story:

... they were able to clone and manipulate RFID tags used in hotel room key cards and corporate access cards and create a master key card to open every room in a hotel, office or other facility. He was able, for example, to clone Mifare, the most commonly used key-access system, designed by Philips Electronics. To create a master key he simply needed two or three key cards for different rooms to determine the structure of the cards. Of the 10 different types of RFID systems he examined that were being used in hotels, none used encryption.

Many of the card systems that did use encryption failed to change the default key that manufacturers program into the access card system before shipping, or they used sample keys that the manufacturer includes in instructions sent with the cards. Grunwald and his partners created a dictionary database of all the sample keys they found in such literature (much of which they found accidentally published on purchasers' websites) to conduct what's known as a dictionary attack. When attacking a new access card system, their RFDump program would search the list until it found the key that unlocked a card's encryption.

"I was really surprised we were able to open about 75 percent of all the cards we collected," he says.

The dangerous part of this is not necessarily the specific technology ("Don't use RFID-based locks!") but the fact that the people developing and deploying electronic locks don't take security nearly seriously enough.

#30 ::: James D. Macdonald ::: (view all by) ::: August 08, 2006, 07:57 AM:

It isn't just hotel locks. Those new RFID passports that are supposed to Make Us Safer seem to have a vulnerability too:


LAS VEGAS, Nevada (AP) -- Electronic passports being introduced in the United States and other countries have a major vulnerability that could allow criminals to clone embedded secret code and enter countries illegally, an expert warned.


A demonstration late Friday by German computer security expert Lukas Grunwald showed how personal information stored on the documents could be copied and transferred to another device.


It appeared to contradict assurances by officials in government and private industry that the electronic information stored in passports could not be duplicated.


"If there is an automatic inspection system, I can use this card to enter any country," Grunwald said, holding up a computer chip containing electronic information he had copied from his German passport.


The research is the latest to raise concerns about the growing use of RFID, short for radio-frequency identification, which allows everyday objects such as store merchandise, livestock and security documents to beam electronic data to computers equipped with special antennas.

#31 ::: Peter Erwin ::: (view all by) ::: August 08, 2006, 10:05 AM:

Indeed. In fact, the link I quoted from above is mostly about the passport RFID cracking; towards the end of the article is where they bring in the RFID-based hotel passkeys (same group of German hackers).

#32 ::: James D. Macdonald ::: (view all by) ::: August 08, 2006, 01:54 PM:

Skilled lockpick with tools is to key bumper with bump key as Unix hacker is to script kiddie.

#33 ::: Ben M ::: (view all by) ::: August 08, 2006, 02:32 PM:

It looks like this depends on the pins being able to bounce and recoil in a particular way. Am I wrong to think that a viscous lubricant---say, motor oil---would put a stop to that. Insert the correct key, the pins squelch smootly into position. Take the key out, the pins ooze back to their rest positions. Hit the pin with a bump key and a hammer, it plows a few microns through its oil-clogged tube before coming to rest.

The only problem is if your key ends up covered in motor oil.

#34 ::: Greg London ::: (view all by) ::: August 08, 2006, 02:43 PM:

Those new RFID passports that are supposed to Make Us Safer seem to have a vulnerability

I figured it would take about 10 years for that sort of thing to get straightened out. I was imagining something like a public key encryption dongle or similar, not just a "i-am-about-to-transmit-my-secret-code-via-radio-waves-did-you-hear-me-no-then-let-me-retransmit" sort fo thing.

The idea being that the channel is public and keys can get lost or stolen and you don't want them to simply transmit their sequence to anyone who asks. You want to do an Identify Friend of Foe type thing where you can't trust anything and you can never transmit the secret code in the air.

#35 ::: Peter Erwin ::: (view all by) ::: August 08, 2006, 03:36 PM:

I figured it would take about 10 years for that sort of thing to get straightened out. I was imagining something like a public key encryption dongle or similar, not just a "i-am-about-to-transmit-my-secret-code-via-radio-waves-did-you-hear-me-no-then-let-me-retransmit" sort fo thing.

Except that "getting it straightened out" is difficult to do once you start implementing a whole system this large (tens of millions of passports and all the readers at all the immigration checkpoints). Once that's done, there's a strong bureaucratic inertial against changing things, or even admiting that there's a problem. The people in charge of this program have shown little sign of proceeding slowly and cautiously and testing things carefully first.

The idea being that the channel is public and keys can get lost or stolen and you don't want them to simply transmit their sequence to anyone who asks. You want to do an Identify Friend of Foe type thing where you can't trust anything and you can never transmit the secret code in the air.

Two problems:
1. Public communication means that the fact that you have a passport can be generally known; in certain circumstances, that's not a good idea. (Leaving aside the possibility that, e.g., the nationality might be revealed by the communication proocol.)
2. Even if you have what is in theory is a good protocol, it's proved astonishingly hard for people to implement security protocols and algorithms without subtle bugs that render the security moot. It requires time and careful analysis (ideally by the general cryptographic community) to find these things out.

#36 ::: Greg London ::: (view all by) ::: August 08, 2006, 03:50 PM:

it's proved astonishingly hard for people to implement security protocols and algorithms without subtle bugs that render the security moot.

Yes, I know. Believe me, I know.

As for the rest, no disagreement here.

Except that I was talking about using electronic keys to solve the "key bumping" problem. Especially in an apartment building, where you could easily get a key that fits all the locks and grind it down to the minimal positions.

Passports are a different beast altogether.

#37 ::: Robert L ::: (view all by) ::: August 08, 2006, 07:55 PM:

But in fact, lockpicking a Yale lock is not that hard. I have never actually mastered it, but a friend (whose boyfriend at the time was a locksmith) showed me how it's done. I don't think I quite understodd the principle, but reading Richard Feynman's chapter about lockpicking and combination hacking in Surely You're Joking, Mr. Feynman clued me in. Finding something to make the picks out of is a bit tricky. And of course they're illegal--burglar tools. But it's relatively easy to master, I think, since I've seen a lot of people do it (my friend had some cylinders to practice on). And once you've got it, you've got it.

It is indeed a sobering thought to realize that there's really no such thing as a locked door. It's even more sobering to realize that there never really has been.

#38 ::: Greg London ::: (view all by) ::: August 08, 2006, 08:05 PM:

Hm, I just realized that this very morning, my wife asked me to cut a padlock we lost the key to, so I get the bolt cutter out of the garage and it sliced through it like hot butter through a knife.

#39 ::: Fragano Ledgister ::: (view all by) ::: August 08, 2006, 08:22 PM:

Hm, I just realized that this very morning, my wife asked me to cut a padlock we lost the key to, so I get the bolt cutter out of the garage and it sliced through it like hot butter through a knife.

How do you keep your butter sharp?

#40 ::: Greg London ::: (view all by) ::: August 08, 2006, 09:08 PM:

How do you keep your butter sharp?

With flash cards and practice tests

#41 ::: Bob Oldendorf ::: (view all by) ::: August 08, 2006, 11:49 PM:

It is indeed a sobering thought to realize that there's really no such thing as a locked door.

Locks only stop honest people. They are at most an inconvenience for somebody determined to go through that door.

I went to a Geek School. I knew guys in college who made their own campus-wide master keys, both as an intellectual exercise and to avoid the inconvenience of having to carry numerous different keys. (To my knowledge, they used their powers only for good....)

#42 ::: Dave ::: (view all by) ::: August 09, 2006, 06:55 AM:

Yale keys must just be one of those quaint held-over-from-the-19th century features of life in the States. In this corner of "old europe", keys have 6-8 rows of dimples, on all four sides of the blank, and (judging from the shape of the cuts) probably involve rotation like Medecos. I have a couple of american-style keys on my ring, but they're strictly low-security (gas tank cap, etc.) -- not for buildings or anything.

#43 ::: James D. Macdonald ::: (view all by) ::: August 09, 2006, 08:21 AM:

Like the keys illustrated on pages 4, 6, and 7 of the paper linked from the original post?

#44 ::: Lori Coulson ::: (view all by) ::: August 09, 2006, 10:32 AM:

Robert L: Being in possession of lockpicking tools may be a crime in some jurisdictions.

However, most companies that sell supplies to law enforcement and emergency services sell a lockpicking kit. Our investigators have one, and we've borrowed it whenever someone manages to lock the ancient file cabinets whose keys were lost many moves ago...

#45 ::: Dave ::: (view all by) ::: August 09, 2006, 10:52 AM:

Somewhat like, yes, although I only saw circular dimples, not angled ones (which is what reminded me of the old Medecos). I did lie earlier -- looking a little more closely at my keys, they're rotationally symmetric, so the pins are only in 3-4 rows on 3 different axes, not 6-8 on 4. See http://www.kaba.co.uk/products/kaba-quattro-s.asp for something similar.

So: if the pins really need to be rotated, good luck with bumping. If they don't, (and if I understand this properly) you would still need to be able to bump in two opposing (plus one perpendicular) directions within the mechanical time constant of the pins.

Given time, and applying tension, it still ought to be possible to work pin by pin, jiggling each into place. But it seems far less likely that it'd occur with simple impulses than it would with the geometry of 5-7 pins along a single axis.

#46 ::: Steven Gould ::: (view all by) ::: August 09, 2006, 11:20 AM:

I'm leaning toward biometrics, myself. For $110 one can buy a fingerprint based lock with the ability to store lots of fingerprints in it. (The whole family plus the trusted friends.)

Best of all, it's (usually) hard for me to leave my fingers in the other pants.

This conversation is making me lean harder, but I still need to research it's failure rate, etc.

#47 ::: Steven Gould ::: (view all by) ::: August 09, 2006, 11:46 AM:

Well, forget that!

A brief google on fingerprint locks shows a whole host of issues including ones that are bypassed by using a warm gummy bear.

The other issue is that most of the locks have a mechanical key override which is probably still vulnerable to bumping.

#48 ::: James D. Macdonald ::: (view all by) ::: August 09, 2006, 11:50 AM:

I expect that, for a key lock, unless the manufacturer's literature says the lock is bump-resistant you should assume that it's vulnerable to bumping.

#49 ::: BigHank53 ::: (view all by) ::: August 09, 2006, 12:05 PM:

Mr. Gould:

Biometrics are good for low-security items, or for systems that can be replaced entirely if security fails. I wouldn't touch them with a ten-foot pole. In Malaysia, an owner of a BMW(?) that used a fingerprint reader instead of a key had his finger removed by the thieves that stole his car. Bad failure mode.

Now consider a system that can't be replaced--banking, for example. What do we do for clients who lack the appropriate finger or eye? How do we handle clients who lose one? How do we handle undercover agents and relocated witnesses?

I am going to plug Bruce Schneier here, as one of clearest writers on security. He comes at the subject from a background of cryptography, but his last two books are written for a general audience. Secrets and Lies introduces the concepts of threat models and attack trees. Thinking about these things can keep one from making foolish mistakes with limited resources.

#50 ::: Peter Erwin ::: (view all by) ::: August 09, 2006, 01:16 PM:

I am going to plug Bruce Schneier here, as one of clearest writers on security. He comes at the subject from a background of cryptography, but his last two books are written for a general audience. Secrets and Lies introduces the concepts of threat models and attack trees. Thinking about these things can keep one from making foolish mistakes with limited resources.

And I will second the plug. (I would feel ever so much safer if he or someone similar were in a position of real authority within DHS, for example.)

Here is his blog entry on the Malaysian finger-theft (a Mercedes rather than a BMW, but otherwise spot on.)

#51 ::: eric ::: (view all by) ::: August 09, 2006, 05:08 PM:
Robert L: Being in possession of lockpicking tools may be a crime in some jurisdictions.

Certainly not at MIT. But discretion is key there. Breaking and entering and storytelling and all that.

However, most companies that sell supplies to law enforcement and emergency services sell a lockpicking kit.

They're not that hard to make, if you know what they should look like. A dremel tool to shape, and street sweeper bristles for the material.

Our investigators have one, and we've borrowed it whenever someone manages to lock the ancient file cabinets whose keys were lost many moves ago...

My last office had (steelcase?) standard cubicle furniture, with really bad locks that no one had the keys to. They were pickable with paperclips, in some cases with a little tension and one rake of the pins. Almost as fast as finding the correct key, had we had them.

The day after halloween, I picked the lock closed on my coworker's desk where he was storing the candy, so that I wouldn't eat anymore. I wasn't in the office for the next day or two, but they learned to pick the lock in a couple hours.

#52 ::: Michelle ::: (view all by) ::: August 10, 2006, 12:48 PM:

Here we call this To Mexican. As, wow you just mexicaned that lock. Not everyone says this but it's pretty common practice.

When your key wears down you can still use it...and then take it out..while the car is till going. When the lock itself wears down you can start the car without a key at all. The verb comes from Mexicans who buy old cars. Usually the locks/keyed areas are so worn down you don't need a key. This happens a lot faster now with the materials we use in locks. Go fig.

Bumping is a logical thing. If you can force an object past the tumblers the lock will turn. That's any object. Using a blank key is okay, but why bother when a slim pair of scissors will work too.

These in which a lock is picked depends on the make (some new locks just take a screw driver), the materials used, and the strength of the bolt.

As with bombs, this information is everywhere. You just have to put two and two together in highschool science class.

#53 ::: Greg London ::: (view all by) ::: August 10, 2006, 01:05 PM:

bypassed by using a warm gummy bear.

yep. That plus it might encourage someone who doesn't know about gummy bears to lop off your finger.

I think any bio-based lock need to have built into the system an inherent check that the source of the bio is actually alive.

I was thinking maybe you could have voice pattern recognition, where the computer puts random words up on a screen and you have to speak them back. The prevents a baddie from recording the one and only password and playing it back on a portable tapedeck. Stress analysis could automatically call the police if the voice pattern reveals the speaker is tense and nervous, because maybe there's a gun to his head.

The other idea was having retinal recognition, but have it be an monocular that you look into, that is small enough that no one else can see, and then have it not only recognize the retinal pattern, but have it draw a dot on the screen, move it around to random locations, and require that you follow the dot in focus. This would thwart someone from simply gouging your eyeball out and sticking it against the monocular.

Think of Tom Cruises wife in "Minority Report" who got into a secure location by carrying her husbands old eyes (getting new eyes transplanted in) around in a ziplock bag.

#54 ::: Alan Braggins ::: (view all by) ::: August 10, 2006, 02:15 PM:

In theory you can get fingerprint scanners that only respond to a warm fingerprint with a pulse, retinal scanners that insist on there being blood flowing through the blood vessels in the retina, iris scanners that insist on the iris responding to light levels etc..
In practice, or at least affordable practice, not so much. You have a choice between easily fooled things and things that won't recognise you as yourself most of the time.
(If you have the time and budget for the really advanced stuff, you also have a guard looking for suspicious behaviour through the bulletproof glass as people go one at a time though the airlock style doors.)

#55 ::: Greg London ::: (view all by) ::: August 10, 2006, 03:07 PM:

actually, I think a voice pattern recognition thingy, combined with a random sentence generator to act as a "captcha" mechanism, should be little more difficult to implement than a regular voice recognition thingy. At that point, you're just talking more software, not more hardware.

The retinal-eye-dance thingy, would have to have a bunch of extra hardware.

#56 ::: Peter Erwin ::: (view all by) ::: August 10, 2006, 03:47 PM:

actually, I think a voice pattern recognition thingy, combined with a random sentence generator to act as a "captcha" mechanism, should be little more difficult to implement than a regular voice recognition thingy. At that point, you're just talking more software, not more hardware.

That's a bit like saying AI is just "more software" ;-)

As I understand the idea, a voice recognition thingy with a standard phrase is essentially a sound-matching device: does the input sound match the stored sound to within tolerances? Possibly including some simple word recognition to chop it up into individual words and do the comparison that way (ignoring differing spaces between words).

Being able to ID someone via a random sentence is much harder, since it implies the ability to abstract a general "voice pattern" from the actual sounds. People can do that in their brains (probably because it's evolutionarily useful to be able to tell who's talking at night), but not always reliably.

A simpler intermediate solution is a small dictionary of pre-recorded sentences, enough so that it's hard for someone to secretly record all the necessary sentences.

(But what happens if you've got a cold, or a bad sore throat?)

#57 ::: Greg London ::: (view all by) ::: August 10, 2006, 05:35 PM:

That's a bit like saying AI is just "more software" ;-)

Well, I view AI on par with hyperdrives. they are a long ways out and we've got a whole lot to learn before we get there.

I think though that machine intelligence needed for the specific job of recognizing a voice would be possible.

#58 ::: Peter Erwin ::: (view all by) ::: August 10, 2006, 06:03 PM:

Well, I view AI on par with hyperdrives. they are a long ways out and we've got a whole lot to learn before we get there.

Well, as I mentioned on another thread, AI isn't on par with hyperdrives because AI doesn't require entirely new, made-up physics.

I think though that machine intelligence needed for the specific job of recognizing a voice would be possible.

Oh, I agree. But I think it would be a lot harder than just matching recorded sentences. (And the user would probably have to do a lot more speaking in order to train the system -- you'd need to make sure you'd heard the user speak all the phonemes in the user's language.)

#59 ::: Greg London ::: (view all by) ::: August 10, 2006, 07:42 PM:

AI isn't on par with hyperdrives because AI doesn't require entirely new, made-up physics.

I think it would require a completely, turned-on-its-head view of consciousness. As far as I can tell, we're in the flat-earth frame of understanding the human mind.

#60 ::: Jasper Janssen ::: (view all by) ::: August 13, 2006, 04:26 PM:

Standard european locks can be removed in not much more time than it takes to bumpkey it open simply by the application of overwhelming force. Also known as "no matter how convoluted the key, if your door's made of glass who cares?"

Incidentally, one of the videos on the toool website told me that 80-90% of American front door locks are all by 2 or 3 major brands, which makes it an awful lot easier to be proficient in getting them open than it is in europe, where there are many different manufacturers of standardised cylinders.

Also: Lockpicking *does* leave marks. Even if you're good. Not on the outside of the lock around the keyway, but on the inside, on the tumblers. The picks will hit them in different places than a key would and brass scratches easily.

#61 ::: Jasper Janssen ::: (view all by) ::: August 13, 2006, 04:41 PM:

Bumping is a logical thing. If you can force an object past the tumblers the lock will turn. That's any object. Using a blank key is okay, but why bother when a slim pair of scissors will work too.

This only works in the cheapest of low-security locks, where the tumblers are there to stop you inserting a key into the rearmost bit, and the reamost bit is the active bit. Car locks, especially on cheap and/or older cars, sure. Bike locks, sure. On house locks, not so much. They work by preventing the cylinder from turning if the key doesn't raise the sets of tumblers so that the breakline of each tumbler set is at or very near the border between the cylinder and the surround. Cylinder/surround typically does not wear down over a house lock's life, certainly not enough to become 'stick a screwdriver in' openable, especially not without damage. Leastways not before they've loooong turned into being unopenable in the first place. My grandmother's house has had the same lock (AFAIK) since 1955, and while it's getting to the point that it's occasionally hard to open without jiggling, it's nowhere near to opening on its own.

#62 ::: Wim L ::: (view all by) ::: August 13, 2006, 04:56 PM:

In all the home burglaries I know of, the burglar just used a brick or crowbar on a window, nothing as sophisticated as even the simplest lock pick. Bump keys wouldn't change that situation any. Bumping is more useful, I think, for entering instititional buildings that might have better overall security, and where it's useful to be able to hide the fact that the lock has been picked. That is, espionage. (But also for legitimately dealing with lost keys.)

Michelle: I think the bump technique here is different from what you describe as "to Mexican". Bumping doesn't necessarily damage the lock in anny way, or require a worn lock.

Ben: That seems like a good countermeasure against bumping (and any other yet-to-be-developed attacks which rely on dynamic properties of the pins). Maybe a dilatant solid spring could be used instead of an oil dashpot, to avoid the gooey-key problem...

#63 ::: Carrie S. ::: (view all by) ::: August 21, 2006, 12:21 PM:

It is indeed a sobering thought to realize that there's really no such thing as a locked door. It's even more sobering to realize that there never really has been.

As my boyfriend likes to say, locks are there to keep honest people honest. I'd add "and because most thieves won't bother picking a lock when odds are good the guy down the street hasn't locked his door".

I know how to pick locks, in much the same way that I know a bunch of passwords and PINs that aren't mine, and the default login and password for common or garden UNIX systems. It's not that I'm planning to actually use this knowledge, I just want to be able to. I went to a school that really wants to be as cool as MIT (Carnegie Mellon), so there was a time in my life when I got into a lot of places I shouldn't have, but these days I'm content to just collect the techniques. :)

#64 ::: James D. Macdonald ::: (view all by) ::: August 21, 2006, 10:05 PM:

It's been a while since we've had FEMA Follies. It's nice to know that they're completely incompetent in the small details as well as the large ones.

FEMA changing locks on trailers
By LARA JAKES JORDAN, Associated Press Writer
Published 9:42 am PDT Monday, August 14, 2006 WASHINGTON (AP) - FEMA will replace locks on as many as 118,000 trailers used by Gulf Coast hurricane victims after discovering the same key could open many of the mobile homes.

One locksmith cut only 50 different kinds of keys for the trailers sold to FEMA, officials said Monday. That means, in an example of a worst-case scenario, one key could be used to unlock up to 10 mobile homes in a park of 500 trailers.

#65 ::: Angela B. ::: (view all by) ::: August 27, 2006, 06:39 PM:

As far as bump keys being available on the net, you don't have to go any further than Ebay....

Yeah. They ban the sale of homeschooling books, but you want a bump key? You can find IT on Ebay.

#66 ::: 11-yearold bump/lockpicker ::: (view all by) ::: November 09, 2007, 10:19 PM:

well... the thing about lock bumping is... people say it leaves "NO MARKS" well, dont believe that bull-crap, it leaves marks all over the lock depending on its species/type, the usual kwikset, yale and weiser lock all ways take a dent at the top of the key way, ive seen quite a few on them on my practice dead bolt... so if you were broken into and u dont really care about the whole safety issue, then buy a kwikset, yale or weiser lock so ur insurance company will pay up!! also.. how do you cut the freekin' yale keys into bumpkeys!!! ive tried to cut 7 other keys and they didnt work!!! OMFG!!!! thanks for listening =P

#67 ::: 11-yearold bump/lockpicker ::: (view all by) ::: November 09, 2007, 10:24 PM:

also another thing!!! watch out what kindove door ur bumping!!!!!!!!!!!!!! i cannot emphasize that enough!! if you have/ or your bumping a frail/brittle glass door ur gonna make a racket!! and if ur doing it while the resident of the house ur bumping is home, well then... your basically screwed, so in certain cases.. its probaly better to pick the lock rather than bump it, but i think bumping the lock can be very hlpful :)

#68 ::: Chris Pankhurst ::: (view all by) ::: January 20, 2008, 03:52 PM:

There is a cure to lock bumping that evryone can afford.its called pickbuster and made in the uk.
Have a look at there web site.www.pickbuster.com
All the best to evryone.Chris

#69 ::: ethan ::: (view all by) ::: January 20, 2008, 04:00 PM:

On second thought, I think I spoke too soon. Apologies.

#70 ::: Bob Ottenmiller ::: (view all by) ::: June 02, 2008, 01:10 PM:

For most household locks you can have a Locksmith change the top pins to bump resistant pins

#71 ::: Serge sees pin spam ::: (view all by) ::: June 02, 2008, 01:34 PM:

"Pins!"
"Saltpeter"
"Pins!"
"Saltpeter!"
"Pins."
"Pins."

#72 ::: Mary Aileen disagrees ::: (view all by) ::: June 02, 2008, 02:35 PM:

No, it's legit. It's on-topic and not pointing to a commercial site.

#73 ::: Serge stands corrected ::: (view all by) ::: June 02, 2008, 02:41 PM:

It's safe to say Mary Aileen is right.

#74 ::: Terry Karney ::: (view all by) ::: June 02, 2008, 02:44 PM:

I'm sure we were all waiting on pins and needles for the ruling.

#75 ::: Michael ::: (view all by) ::: January 26, 2009, 03:49 AM:

I was looking for something else when I stumbled onto this thread so I thought I'd pass along something that I'm surprised hasn't made it onto the discussion yet.

Kwikset used to be the cheap crap locks of the USA but they've stepped up and started making ring-cylinder locks that are bump resistant and pick resistant. I have one and love it. I got the one with a number pad so I can just enter a code (easy to change) and it can't be opened with a gummy bear either.

http://www.kwikset.com/Products/SmartKey/default.aspx

I'm hoping that Yale does something similar soon so I can have a decent lock on my Tardis (yes, I really have one) since it's out on my back patio.

#76 ::: Rob Rusick ::: (view all by) ::: January 26, 2009, 07:32 AM:

Michael @76: Got a link to a picture of your Tardis?

#77 ::: Stuy ::: (view all by) ::: October 09, 2009, 11:12 AM:

Please. who really believes that trash.. some loser in a bedroom typing shite.. oh dear... have you ever tried lockpicking you loser???

dont worry about twats like this, they are full of it..

[Spam links deleted. Posted from 80.194.35.104. -- JDM]

#78 ::: Mary Aileen sees rudeness if not spam ::: (view all by) ::: October 09, 2009, 11:58 AM:

I didn't follow the link, so I can't determine if #80 is pre-disemvowelled or pre-deleted.

#79 ::: Earl sees link spam at 80 ::: (view all by) ::: October 09, 2009, 12:22 PM:

An interesting spelling choice in this one. Definitely link spam, though.

#80 ::: Terry Karney ::: (view all by) ::: October 09, 2009, 03:44 PM:

Stuy: And why should we believe you, rather than our own lying eyes (and the people who gathered the data for the report)?

Then again, I've done some lockpicking, and used bump keys.

Guess whom I think to be more full of it?

#81 ::: David Dyer-Bennet ::: (view all by) ::: October 09, 2009, 05:32 PM:

I did some lockpicking, back in college. With minimal instruction (from self-taught non-experts) I found I could quite easily open the dorm room locks, which I remember thinking were decent enough if nothing special. I learned a good portion of the things I later found in "Ted the Tool's" lockpicking guide.

#82 ::: Jim Macdonald ::: (view all by) ::: October 10, 2009, 11:07 AM:

As it happens, I have a bump key on my keyring right now, and it fits the locks at the hotel where I'm currently staying.

Silly thing works.

#83 ::: John Hawkes-Reed ::: (view all by) ::: October 11, 2009, 08:21 AM:

@80:

I spent a mildly drunken couple of hours learning how to pick locks with some of the Toool.nl guys in their tent at HAR2009 just the other month.

They're a lovely bunch and really do know their stuff. (Not unlike the rest of the HAR volunteers)

#84 ::: Serge ::: (view all by) ::: October 11, 2009, 09:56 AM:

Never done any lockpicking.
Nitpicking, on the other hand...

#85 ::: Joel Polowin ::: (view all by) ::: October 11, 2009, 12:12 PM:

I've picked a few very simple locks in my time. The compass from a geometry set has unlocked the "piggy bank" (actually a Dutch wooden shoe) I used as a child, the briefcase I carried my school books in when I was a bit older, and the handcuffs that a bully/twit used on me on a high-school school bus. (That last is a precious memory. It only took me about two minutes to dig the compass out of my briefcase and pick the lock. When I got off the bus, I simply handed the handcuffs back to the twit with a slightly contemptuous expression: "you loser". I caught just a glimpse of the look of shock on his face as I turned away.)

A bit less than ten years ago when I first became treasurer for the Ottawa SF Society, I acquired the briefcase that went with the position. It has two 3-digit combination locks, which were locked, and nobody knew what the combinations were. (I recently learned that they were probably a former phone number or postal code or something from a previous treasurer, not that that would likely have helped at the time.) But I'd read Richard Feynman's Surely You're Joking, Mr. Feynman!, in which he describes learning how to pick simple combination locks by applying slight pressure while trying to turn the dials. The technique worked like a charm. (And once I opened the locks I was able to reset their combinations to 0-0-0, so it wouldn't be a problem in future. The briefcase is almost falling apart anyway, and is rarely out of my sight; it's not like I need the security.)

#86 ::: John ::: (view all by) ::: April 12, 2010, 09:34 PM:

Maybe if the locksmith would leave the three factory anti-pick spooled top pins in the lock instead of pocketing them and installing regular pins then the torque used while bumping locks would just false set on the security pins when bumped. You get three such pins with each kwikset lock but when I re-keyed my house, not only did I find entire pins missing in the 6 pin locks but only one security pin in six locks. The house was also master keyed to 32 masters probably builder's keys that were disabled by the protecto balls but it still means there are 32 possible key bittings that would open all the locks in the neighborhood (except mine now).

If you really wanted to be secure, replace the top pins with mushroom head pins which are far more likely to false set when bumped. If you're still concerned, get a Japanese Royal Guardian pin and tumbler lock which have trap pins such that the bump key would get trapped as evidence of tampering (just make sure you have another way into the house as the lock will have to be disassembled to unjam).

There's something fundamentally unethical about a profession that intentionally reduces the security of the locks they install and then charge you a fortune to improve the security. The locksmith wanted $150 to re-key the locks, I did it for $1.80 in pins, borrowing the tools from a mom and pop hardware store who also walked me through a practice lock.

The locksmith was also muttering about changing to titanium pins for the extra strength when every engineer knows that titanium is strong for it's weight not it's size, an equivalent volume of aluminum is much stronger than titanium, just heavier. There's still nothing better than a good quality solid brass lock with solid brass pins, a complex keyway, a clever arrangement of security pins and a clever bitting pattern. Well except posting a 24 hour security guard.

Remember the lock only has to be strong enough so that the thief decides to go through the window instead.

Choose:
Smaller type (our default)
Larger type
Even larger type, with serifs

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 by Patrick & Teresa Nielsen Hayden. All rights reserved.