Postfix, Dovecot, PostfixAdmin, Spamassassin on MySQL and CentOS 5.5

First, let’s handle the boring dependencies. Make sure you’re running as root.

# yum install httpd mysql php php-mysql wget

Set up SQL

# mysql_install_db –user=mysql
# mysql_secure_installation
# service mysql start
# mysql -p

You should now be staring at an SQL prompt. The following should be all of the necessary SQL commands for the entire HOWTO.

mysql> CREATE DATABASE postfix;
mysql> CREATE USER postfix@localhost IDENTIFIED BY ‘your_password’;
mysql> GRANT ALL PRIVILEGES ON postfix.* TO postfix;
mysql> grant SELECT ON postfix.* to ‘dovecot’@’localhost’ IDENTIFIED by ‘dovecot_password’;
mysql> grant SELECT, RELOAD, LOCK TABLES ON *.* to ‘backup’@’localhost’ IDENTIFIED by ‘backup’;
mysql> flush privileges;
mysql> exit

I’d really recommend writing a SQL backup script, and tossing it in your crontab. It’s optional, but a bloody good idea.

# env EDITOR=nano crontab -e

You might want to tune your Apache HTTPD configuration.

# nano /etc/httpd/conf/httpd.conf
# service httpd restart

Grab a copy of PostfixAdmin

# wget
# tar -zxvf postfixadmin-2.3.3.tar.gz
# mv postfixadmin-2.3.3.tar.gz postfixadmin
# mv postfixadmin /var/www/html/
# cd /var/www/html/postfixadmin
# nano

Follow the steps in to complete configuration. Basically, you’ll need to fill in some database information and create a password for adding administrators to PostfixAdmin. You want to point your web browser at http://www.yourdomain.tdl/postfixadmin/setup.php

It’ll display a checklist. Make sure all of your checks are good and it should make the necessary structure changes to the SQL database. Be sure to log in PostfixAdmin and make sure everything is happy. Otherwise you will be sad. Toss in some info, test email addresses and whatnot.

Enable CentOS Plus repo, then install postfix. The standard CentOS 5.5 repo doesn’t include the version of Postfix with SQL support. Why, I have no bloody clue. You want postfix 2.3.x. Be sure to exclude postfix from the updates and regular base repo. I snagged the version of PHP5 from the CentOS Testing repo as well, lot of webapps want it. I configured both additional repositories to only snag the packages I want.

Run postconf to see what is being supported.

# postconf -m
# postconf -a

If it doesn’t list MySQL on the first command and dovecot on the second, you have the wrong version of postfix. You probably messed up your repo hacking. Let’s ignore postifx for a moment, and move on into the realm of insanity. Here there be dragons.

Now, to snag dovecot. This is going to be ugly.

# rpm -Uvh
( or for x86_64, use )
# rpm –import
# yum install dovecot

You should have gotten dovecot 1.0.13. Recheck your repo config if you didn’t. For the love of the odd gods, do NOT use the standard CentOS repository for dovecot, which would be 1.0.7 or whatnot. It’s broken. Yes, do not ask me why anyone would keep a royally screwed up version in the main repository of a distribution known for testing and stability. I have no bloody clue.

# mkdir -p /var/vmail
# chmod 770 /var/vmail
# useradd -r -u 101 -g mail -d /var/vmail -s /sbin/nologin -c “Virtual mailbox” vmail
# chown vmail.mail /var/vmail
# cd /etc
# cp dovecot.conf dovecot.conf.original
# echo “” > dovecot.conf
# nano dovecot.conf

# ————————————
# ————————————
mail_location = maildir:/var/vmail/%d/%u
first_valid_uid = 101
last_valid_uid = 101
maildir_copy_with_hardlinks = yes
protocol imap {
mail_plugins = quota imap_quota
imap_client_workarounds = outlook-idle delay-newmail
protocol pop3 {
mail_plugins = quota
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
protocol lda {
postmaster_address =
mail_plugins = quota
log_path = /var/log/dovecot-deliver.log
info_log_path = /var/log/dovecot-deliver.log
auth default {
# Having “login” also as a mechanism make sure outlook can use the auth smtpd as well
mechanisms = plain login
passdb sql {
args = /etc/dovecot/sql.conf
userdb sql {
args = /etc/dovecot/sql.conf
userdb prefetch {
user = nobody
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = mail
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = mail
dict {
plugin {
# quota = maildir:storage=10240:messages=1000
# acl = vfile:/etc/dovecot/acls
trash = /etc/dovecot/trash.conf

Save it and get back to the command prompt. We still need to connect up to the SQL database that PostfixAdmin set up for us. Remember the dovecot password from that MySQL query earlier?

# nano /etc/dovecot/sql.conf

driver = mysql
connect = host=localhost dbname=postfix user=dovecot password=DOVECOT_SQL_password
user_query = SELECT concat(‘/var/vmail/’, maildir) as home, concat(‘maildir:/var/vmail/’, maildir) as mail, 101 AS uid, 12 AS gid, concat(‘maildir:storage=’, quota) AS quota FROM mailbox WHERE username = ‘%u’ AND active = ‘1’
password_query = SELECT username as user, password, concat(‘/var/vmail/’, maildir) as userdb_home, concat(‘maildir:/var/vmail/’, maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = ‘%u’ AND active = ‘1’

# Config Notes:
# Note, query needs to be on ONE line
# Your web browser and paste will wrap it.

# nano /etc/dovecot/trash.conf

Paste in the folders you want created automatically

1 Spam
2 Trash

# cd /etc/postfix
# nano

Paste the following (yes, intended on the third line)

# Dovecot LDA
dovecot unix – n n – – pipe
flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}

# cp
# echo “” >
# nano

Paste all of the following into

# Local Settings
myhostname = mail.example.tld # Change this, dude.
inet_interfaces = localhost, $myhostname
mynetworks = $config_directory/mynetworks
mydestination = localhost.$mydomain, localhost, $myhostname
#uncomment if you need relay_domains… do not list domains in both relay and virtual
#relay_domains = proxy:mysql:$config_directory/
# Virtual domain start
virtual_mailbox_domains = proxy:mysql:$config_directory/
virtual_mailbox_base = /var/vmail
virtual_mailbox_maps = proxy:mysql:$config_directory/
virtual_alias_maps = proxy:mysql:$config_directory/
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/
virtual_minimum_uid = 101
virtual_uid_maps = static:101
virtual_gid_maps = static:12
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

Save. Restart dovecot and postfix. Attempt to send mail back and forth. If it doesn’t work, go to /var/log/maillog and start reading.

If it works, and only once it works, we start on spamassassin.

# yum install spamassassin
# sa-update
# spamassassin –lint

If you get an error, then do the following:
– # rpm -q perl-Net-DNS perl-NetAddr-IP perl perl-IO-Socket-INET6
– # rpm -qi perl-IO-Socket-INET6
– # yum remove perl-IO-Socket-INET6
– # spamassassin –lint

If you didn’t get an error, start back here.

# adduser spamfilter -s /sbin/nologin
# nano /etc/postfix/

Add to bottom:

spamfilter unix – n n – – pipe
flags=Rq user=spamfilter argv=/usr/local/bin/spamfilter -f ${sender} — ${recipient}

Change from near top

smtp inet n – n – – smtpd
-o content_filter=spamfilter:dummy

# nano /usr/local/bin/spamfilter

Past in the following


/usr/bin/spamc | /usr/sbin/sendmail.postfix -i “$@”

exit $?

# chown spamfilter /usr/local/bin/spamfilter
# chmod 755 /usr/local/bin/spamfilter
# postfix reload

You can generate a config file from SA Configuration Generator. The output goes to /etc/mail/spamassassin/


user            = #SQL user
password        = #SQL password
hosts           = localhost
dbname          = # database name
query           = SELECT domain FROM domain WHERE domain=’%s’ and backupmx = ‘1’
user            = #SQL user
password        = #SQL password
hosts           = localhost
dbname          = # database name
query           = SELECT goto FROM alias WHERE address=’%s’ AND active = ‘1’
user            = #SQL user
password        = #SQL password
hosts           = localhost
dbname          = # database name
query           = SELECT domain FROM domain WHERE domain=’%s’
#optional query to use when relaying for backup MX
#query           = SELECT domain FROM domain WHERE domain=’%s’ AND backupmx = ‘0’ AND active = ‘1’
user            = #SQL user
password        = #SQL password
hosts           = localhost
dbname          = # database name

query           = SELECT quota FROM mailbox WHERE username=’%s’ AND active = ‘1’
user            = #SQL user
password        = #SQL password
hosts           = localhost
dbname          = # database name

#query          = SELECT CONCAT(domain,’/’,maildir) FROM mailbox WHERE username=’%s’ AND active = ‘1’
query           = SELECT maildir FROM mailbox WHERE username=’%s’ AND active = ‘1

Read More

Server hardening notes

httpd.conf – Tune for lower memory utilization
httpd.conf – Add TraceEnable off
httpd.conf – SSLProtocol -ALL +SSLv3 +TLSv1
httpd.conf – SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!SSLv2:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

PHP.ini – expose_php off

/var/qmail/control/servercert.pem – add key
/var/qmail/control/tlsserverciphers – add ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
/etc/courier-imap/pop3d-ssl – TLS_CIPHER_LIST=”ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH”
/etc/courier-imap/imapd-ssl – TLS_CIPHER_LIST=”ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH”

General notes – Zip phpMyAdmin and keep in offline status until needed
SSH – check config to force higher cipher usage

yum -y remove sendmail openssl

yum -y install autoconf automake automake17 bzip2 bzip2-devel bzip2-libs compat-gcc-34 compat-gcc-34-c++ compat-glibc compat-glibc-headers compat-libf2c compat-libgcc compat-libstdc++-296 compat-libsdc++-33 curl curl-devel expect expect-devel gcc gcc-c++ gdbm gdbm-devel gmp gmp-devel groff httpd httpd-devel httpd-manual krb5-auth-dialog krb5-devel krb5-libs krb5-workstation libgcc libidn libidn-devel libtool libtool-ltdl libtool-ltdl-devel mysql mysql-bench mysql-devel mysql-server mrtg ntp openssh openssh-clients openssh-askpass openssh-server openssl openssl-devel pcre pcre-devel perl-libwww-perl perl-Archive-Tar perl-Digest-HMAC perl-Digest-SHA1 perl-HTML-Parser perl-Net-DNS php php-ldap php-mysql php-pear php-gd php-xml redhat-rpm-config rpm rpm-build rpm-devel rpm-libs rpm-python sed setup setuptool stunnel system-config-date wget which zlib zlib-devel ncurses-devel zip groff

Read More

Full Disclosure

There have been three discreet schools of thought on disclosing vulnerabilities. Totally open, partially open, and no disclosure. Fairly logical that.

No disclosure is the school of thought that the best means of security is no public and limited private dissemination of vulnerabilities is the best means of security. “Security through obscurity” is the primary phrase of this moment. The logic is quite simple on the surface. If “no one knows” about the problem, it doesn’t exist as far as virtually everyone knows. That means there will be less chance of said vulnerability being exploited, as few people will know about it.

Partially open disclosure is that the issue is acknowledged in very general terms, but no details whatsoever are given. In theory, it’s supposed to be a compromise of between the two parties. In practice, the majority hates it.

Full disclosure is just that. Open, complete discussion of vulnerabilities. All or nearly all details in the open to all parties. It’s not considered inconsistent to give the manufacturer or other responsible party a defined period of time to resolve the issue before publication of the vulnerability. The problem is that the vulnerability can be exploited by virtually anyone interested in doing so. Finding a flaw can be difficult, replicating it is often trivial.

Security through obscurity sounds like a very reasonable argument. Only problem is… Knowledge always leaks given enough time. Unless the person who found the vulnerability is a hermit, he or she is going to tell someone else. Or if that person exploits the vulnerability multiple times, it likely will eventually be noticed. A vulnerability that isn’t or can’t be exploited is of limited value to the bad people.

Another consideration is that virtually everyone, including black hats, are motivated by MICE. Money, Ideology, Coercion, and Ego. Black hats are motivated to do what they do. Previously, it was a historical trend that they did their work for ideology or ego. These days, black hats motivated by ego is the minority (in terms of being a threat). The majority are motivated by money, plain and simple. Primarily spam, but also harvesting personal/corporate/government information for resale or private exploitation.

The “individual” non-profit Black Hats are also starting to die off. They still exist, but are an extreme minority compared to the folks acting as independent or dependent contractors or specialists. Specifically, organized groups that have taken to information and electronic exploitation. Organized crime, intelligence services, military units specializing in IEW, paramilitaries (Security Services, terrorists, PMC’s, et al), corporate espionage groups, etc. They have a specific motivation, whatever it is. These motivations (MICE) have existed since the dawn of civilization and will not disappear until humanity does. Electronical medium is a new playing field, but the overall themes are extremely old.

Outlawing full disclosure is akin to outlawing firearms. People will still engage in their behavior and the only people hindered are the victims. Throughout time, people have always reacted to bad news by shooting the messenger in hopes that the underlining information or situation will expire with the messenger. This is never the case, but the mentality survives.

Full disclosure is very painful to virtually every party in some way. The originating manufacturer of the vulnerability must fix it, the researcher who discovered the vulnerability faces legal or reputation liability, the criminal now much deal with a potentially informed and prepared victim, the potential victim must mitigate the vulnerability.

This sounds like a major pain in the fourth point of contact. So why would any sane person advocate it?

Because it has been shown to be the only historical way of gaining real security.

This is not a new debate. The first published debate on full disclosure is traced to the 1850’s, but existed long before that. Guilds had elaborate procedures of restricting information to only acceptable parties in order to maximize profit at the expense of the consumer and public. Often, dangerously restricted. The milk processing guild restricted knowledge of their milk adulterating procedures, which happened to be very dangerous and not infrequently life threatening.

We are in the same boat as the public in the 1850’s. The overwhelming majority of people do not have the time, training or ability to thoroughly examine every bit of their operating system, every aspect of their locks, etc. It can and often does take a decade or more to master just one area of study. As humans are not immortal, it is impossible to have a mastery of all subjects.

It is in the public’s interest, as well as the manufacturer’s long term interest, to openly disclose vulnerabilities. If a batch of milk was contaminated, people who purchased it must be told. If a lock can be bypassed trivially, the owners should know. If a car has faulty brakes, the driver must know. If there is a major hole in a computer system, the operator must know it exists. Without this knowledge, it is impossible to mitigate the risk. The public will suffer. After being burned, they will not trust and will extract retribution (hopefully through the courts) on the responsible party, the manufacturer.

While it is painful, the manufacturer who discloses a vulnerability greatly reduces their long term liability for a defective product. They then build a better product. Short term loss, long term gain.

Unfortunately, the “shoot the messenger” instinct is still very very strong. In the US, there are laws in place that severely restrict reverse engineering. Free speech prohibits blanket bans of security publications, but Congress does its best to infringe on behalf of people who solely focus on the short term. This has extended to the point of security researchers literally being dragged off the podium in handcuffs. (Sklyarov) It is not infrequent for the manufacturer of the vulnerability to threaten or engage in legal proceedings to silence security researchers. (MIT students v MTA metrocard, et al) People just naturally get angry when they are given bad news. Especially if bad news is directly attributable to the person receiving the bad news.

If you think hackers get treated unfairly, try giving open disclosure lectures on locks. People are absolutely shocked, horrified and angry that their $20 pot metal piece of garbage lock is easily bypassed. Rather than accept personal responsibility and make reasonable steps to mitigate the issue, it’s just plain easier to be angry at the person who told you the information. It doesn’t change the reality of the situation. The vulnerability exists, whether folks know about it or not.

Professionals inform each other. Criminals circulate information. When open disclosure is banned, only the consumer or potential victim is in the dark. Exactly like gun control. When you attend to infringe or ban firearms, you do not stop the police or criminals from owning firearms. Only the public is hurt. Information on vulnerabilities is no different.

Read More

Scanning Electron Microscope Analysis of Pin Tumblers

Naturally, everyone knows picking locks makes some sort of marks on the pins. Steel is harder than brass, ergo it’s pretty likely to scrape away brass material. I got interested and looked around a bit. I saw a couple decent photos taken with a high MP camera and cropped, but nothing truly showing close up shots. So, I decided to toss a couple pins under an scanning electron microscope. I didn’t happen to have one in my kitchen, so I went to the logical folks. Nanotech physics geeks, of course.

I went to the local Target and picked up three Master branded doorknobs. I liked the brand, as they seemed decent quality but not overly expensive. One was left pristine, one was picked, and one was bumped. I bagged all three cylinders and mailed them off along with a couple bags of candy. If you ever want to get geeks to do something, bribe them with sugar and/or caffeine. In this case, I decided to entertain myself by sending them Smarties and Nerds. I was gonna include a bag of Dum-Dums for the nano geeks to give to the chemistry department, but decided that wouldn’t be nice.

Anyways, onto the photos:

I chopped down the photos a bit to save on bandwidth. Download and zoom to view properly. If anyone really wants the larger files, let me know. They’re not substantially different than if you just zoomed in on the provided. All pins were imaged, and numbered from front to back. Pin 1 being closest to the keyway, Pin 5 being furthest in.

Pristine Cylinder, Pin 5, Photo C


I noticed deep, long scratches even on the unused cylinder. Likely they tested a key at the factory. They were on all pins in all cylinders tested. Often one long scratch, and several smaller ones at different angles.

Pristine Cylinder, Pin 5, Photo D


Different shot of the same pin. You can notice some surface deformation from manufacturing.

Pristine Cylinder, Pin 2


You may notice black specks in various photos. This is primarily dust, but occasionally specks of brass or other contaminates. This is a 100 micron shot of one example of a piece of dust.

Picked Cylinder, Pin 1, Photo B


And now we get to the interesting part. You can fairly clearly see evidence of picking. It does not look even remotely like the key marks. They are significantly less uniform in both length and angle, as keys generally do not have that much play when entering or leaving a lock. The most telling factor (if you look closely) is that they damage the edges of the pin. While key marks do leave scrapes on the pins, they do not mutilate the edges of the pins anywhere near to the same level as picking.


Here is a close up shot of the edge of Picked Cylinder, Pin 1. The edge mutilation is quite visible.

Picked Cylinder, Pin 1, Photo C


Another shot of Pin 1.

Bump Cylinder, Pin 2, Photo B


The evidence of bumping is slightly harder to see at first glance. Bumping appears to leave deeper key marks. Occassionally these key marks are punctuated, like dashes. Regular key marks are long, smooth scrapes.

Bump Cylinder, Pin 2, Photo C


Another shot of the same pin. Note the punctuated key marks.

Bump Cylinder, Pin 3, Photo C


Bumping also plays hell on the edges of a pin. Very deep key marks.

Bump Cylinder, Pin 5, Photo D


Nice clear photo of both punctuated key marks and deep key marks on the edge of the pins.

Pristine Cylinder, Pin 3, Photo C

50 micron shot of a key mark. Key marks are approximately 25 microns wide.

Pristine Cylinder, Pin 3, Photo N


Another 50 micron shot of a key mark.

Picked Cylinder, Pin 3, Photo A


Clear shots of pick marks at the edge of a pin

Picked Cylinder, Pin 3, Photo C


Closer shot of pick marks

All images courtesy of Jeff Doughty and the Nano-Development Lab at Portland State University.

Read More

Physical Security Countermeasures


The three most common ways of illegally entering a house is kicking in the door, breaking a window and drilling.

Doors are the usual way of entering and leaving a residence. They should and do receive a significant amount of attention, but oddly, 90% of doors are poorly secured. Most doors sold in America frankly suck. They are either metal or wood. Ironically, solid wood doors are usually the more secure. Most wood doors are not solid one piece construction, but often cheap relatively soft light wood with an appealing veneer. Any wood door with deep sections cut out of the door for aesthetic purposes is not recommended. Most residential metal doors are a very light gauge steel of dubious quality. They are near universally hollow or foam filled. At the moment, there are no brand of doors that I would unhesitatingly recommend. It’s usually cheaper to make your own. Laminate a few sheets of decent gauge sheet steel, optionally adding insulation between layers. Glue on wood veneer for pleasing aesthetics. Use three or four decent hinges and the door should still open rather cleanly.

Even with the generally poor quality of locks on residential homes, often the locks are stronger than the door and door jamb. The most common occurrence when a door is kicked is for the latches of the doorknob and deadbolt to rip through the thin surrounding material or for the lock to rip through the door. There is a very simple and relatively inexpensive solution. Reinforce the door jamb. I highly recommend DJ Armor (, but other cheaper versions are better than nothing at all. Your reinforcement kit should include decent gauge metal to go on both sides of the door and a U shaped square of metal to go around the lock.

Here is a somewhat cheesy video demonstrating the product:

One thing that door lamb reinforcing kits will only somewhat help alleviate is a splitter. Basically, imagine a car jack, turned sideways. You crank the jack until the frame is warped and latches are no longer protruding into the door frame. The only solution is to have heavy structural material around the door. Good brick, strong stone, cinder block or concrete. It’s not widely used, as it’s not quick, requires specific equipment, very noticeable and not very subtle. There is a relatively easy if inconvenient solution, a cross bar on the inside of the door that well connected to the frames. It’s not a likely threat, so the solution isn’t really recommended.

If you wanted to be cost effective, you could install a more robust jamb reinforcement setup on one door and devices like “Door Club” (or any other door brace) on any other door. Door braces are pretty simple. You install a device that prevents the door from opening whatsoever when installed. They vary in quality, but they’re pretty cheap and work “well enough” if the door is reasonably well constructed. Downside, of course, is you can’t open the door from the outside and you have at least one hole in your floor.

A very obvious problem is any openings (or potential openings) within arms reach of the locks. Windows, especially. Same theory applies for mail slots, wide gaps between the door and frame. If this applies, buy and install a double cylinder deadbolt. This is a keyed opening on both sides of the door and no latch to automatically open the door. Many such deadbolts include a special “inside only” key. Most people just hang it across from the door, but well out of reach. This is a perfectly valid solution.

If the door surface is flush to the door jamb, it’s easy to shim the door. aka, the old credit card trick. Don’t actually use a credit card. A bendy piece of metal works better. You use it to trip the latch and make the door think it’s currently open. If this is truly problematic, you probably want a different door or door frame. A field expedient solution is to install metal slab covering the latch area. It can be sawed with relative ease, but it’d stop or slow a shim which ordinarily take seconds. Do not use a lever doorknob on the inside of the door if at all possible. They are significantly easier to manipulate with a wire or whatnot.

The most simple and cheapest way to help secure your door is the hinges. These are often overlooked. Use some form of security hinge. Non-removable hinges have a set screw to retain the pin that is only accessible when the door is open. Safety stud hinges have a chunk of metal that sticks out of one side of the hinge to a corresponding hole on the other side of the hinge. If the pin is removed from a safety stud hinge, the door cannot be opened due to the interfering stud. Crimped pins are riveted into place and the pin is not removable. Hinges, even really secure ones, are very cheap. $10 for top of the line hinges is not uncommon. Go insanely speedy on hinges, they’re very often overlooked.

Garage doors are another lovely weak point. Change any remote garage door opener from the default combination. Remove the emergency pull rope on the inside of the door if practical. If not practical, shorten it and do not put it in a loop that is easy to snag with a shim. When you are leaving for an extended period of time, disable the garage door opener, disengage the mechanism, and use at least one padlock on the door on the inside. I personally recommend securing any door between your garage and your house like an external door, but most people do not.

Ok, enough of that. Now onto the fun stuff, locks. If you want to go the cheaper route, buy any doorknob you like and install a very good deadbolt. You don’t want to reverse that. Doorknobs by their nature are easier to attack. For cheaper doorknobs, you can remove the handle with a set of pliers or a small sledgehammer, then use a screwdriver to turn the door mechanism. Even the best doorknobs are vulnerable to this, just requiring significantly more force or time until failure.

Deadbolts. I really, really recommend an Abloy. Obviously, I’m really into lock picking. I have never, once heard about someone picking or bumping an Abloy. Not even dubious second or third hand accounts. The only weakness I’m familiar with is a specialized drill head sold in Europe to licensed locksmiths, which is obviously and definitely not a “nondestructive entry” method. Conventional drills will work. Eventually. If they don’t burn out the drill…

Now, again, you get what you pay for. You can go with an Abloy cylinder in a third party deadbolt case, which is cheaper, $120 at and is a ANSI grade 2. Or you can go whole hog, ANSI Grade 1 or Or you can take a step down and go with a Medeco. Medeco is first tier and it’d do you just fine. It’s used at the Pentagon, White House, etc. But it’s significantly less secure than an Abloy. Medecos are vulnerable to bumping. They are/were King of the Mountain, and folks REALLY threw themselves at it. The result is “Open In 30 Seconds” which is an entire book entirely on cracking Medeco locks. I don’t really recommend the BiLock deadbolts, though it is considered a first tier product. All three would do you just fine, I’m just being a security geek and pointing out theoretical attack vectors that are possible but pretty highly unlikely.

If you do go with an Abloy, you can almost always get your locks same keyed at little to no cost. You’d probably want that if you get a new knob set along with a new deadbolt. One bit of warning, GET EXTRA KEYS. If you lock yourself out, your locksmith is going to alternate staring at the door and staring at you. He’s expressly NOT going to be able to fabricate keys for you. That’s kinda the whole point. Oh, bonus, Abloy keys are interchangeable on the same platform. You can get any number of deadbolts, door knobs and padlocks keyed to the same key with ease. It just has to be the same line of cylinder. Elite, Protec, whatever.

Now let’s jump into the ultra paranoid realm for a second. I’m not advocating any of these, as it’s seriously overkill for any home. First is shielding. Even the best locks are vulnerable to denial of service attacks. Usually juvenile delinquents that insert glue into a lock. To prevent denial of service attempts and even more drill resistance, you want to combine an Abloy and a Drumm Security Geminy Deadbolt Shield. With a high performance drill, you might drill through both in roughly… hour or two. Mind you, that’s with the best drill and bits. A regular handheld? I dunno, eight or nine hours if at all. For even more security, Abloy offers various levels of key protection. For an extra couple bucks (per key, not per lock), you can buy a different key profile. If you bought this, only the original vendor and the factory have the replacement keys. No other vendor or locksmith could reproduce your keys. The vendors and factory would only release new keys under very strict procedures. Defense in depth. You could install a door jamb reinforcement kit on a bedroom door, and a no-key latch-only deadbolt. If someone were to break in, you’d gain extra time to secure weaponry or dial 911. Also, it is possible to remove peepholes from a door and install one in the opposite direction.

That’s enough on doors. Now onto…


First rule. Film all accessible windows or glass. If it’s on the ground floor, definitely film. If it’s on the second floor… Strongly consider it. I strongly recommend ShatterGARD ( Other security films may or may not be just as good, thoroughly review before purchasing. I extremely strongly recommend getting it professionally installed. It’s really easy (slap on, mist with liquid, squeegee) but you really don’t want to blotch the job.

Here is a mildly cheesy video demo:

Windows are hard to give specific advice, because they greatly vary. Consider installing real locks on the windows. You can improvise on a temporary basis by cutting some wooden dowels to size to prevent the windows from being jimmied open while you’re gone. These are excellent:

You could get by with any hasp and a padlock if you wanted an ugly but efficient install. Line up the hasp, use a magic marker to fill in the holes, remove hasp, drill a thin pilot hole, line up hasp again, inject in some glue, drill in nice deep wood screws of good quality. Cyanoacrylate is great, but you need to move quickly and it’s very unforgiving of error.

Full length door windows = bad. Very bad. Immediately install a double cylinder deadbolt. Even a kwikset double cylinder deadbolt would a thousand times more secure than a single cylinder Abloy deadbolt in this case. You could film the door window and it’d be ok (but not good). Consider reinforcing the window frame. I’d recommend, if financially capable, eventually replace that door. Don’t even consider a door brace for the door with a full length window. If they can SEE the door brace, they’re going to go through the glass.


Work from the worst problems to the mildest. You do one bit at a time if you’re financially limited or pick and choose if you feel any of the above is overkill. Just always remember, physical security is only as strong as the weakest link.

Regardless of your cash level: Wooden dowel the windows when you’re gone, secure garage when you’re gone, immediately and without delay install double cylinder deadbolt if you have glass near the deadbolt. Security hinges are a must and dirt cheap.

Read More

A More Comprehensive Guide to Lockpicking

Legalities, Rationalities, etc

Don’t break the law. Lawyers are not cheap, and jail is not a pleasant place. Just buy a lock. It’s easier to work and it’s legal. If you’re low on cash, ask friends, family and coworkers for locks with no keys. You can easily fashion your own tools and such if need be.

Now, you might ask, why teach people to break the law? Trust me, I’m not. Some criminals could teach a master locksmith plenty of tricks that are completely unknown to the legitimate locksmithing trade. This is not speculation. I have known roughly a dozen guards from various high security prisons. With few tools (of a kind a guard is willing to hand to a convict), a prisoner could pop open a car or truck door in seconds on demand.

I am a security geek. Any information security professional will tell you, it’s nice to have an expensive firewall, good patch regiment, good policies, and all that. But does that help you if someone steals your physical server? I’ve seen data center doors opened with a Blockbuster card, and I’m not being sarcastic. Most locks suck. They really suck. Computer security has made huge progress over the last ten years, due to full and open disclosure. Rather than suppressing vulneralities, systems were put into place to collect security issues, get manufacturers to fix the issues, and publish the fix. There is always a worry that publishing a fix will tip bad guys to how to exploit a vulnerability. Regardless of how the bad guys are tipped off, a vulnerability exists whether it’s publically known or not. Most of the time, it is virtually impossible to know if the bad guys know about a vulnerability unless they publically expose their finding.

The lock industry and the locksmith industry often do not believe their customers have a right to know what they are getting for their money. A lot of folks think differently. Regardless of knowledge, a lock is either secure or it is not. Knowledge doesn’t change the physics of a lock. If you’re reading this, go ask a random stranger nearby how secure their locks are. If they don’t answer, “Could be opened in a few seconds, with no damage or apparent evidence”, they are not well informed. They should be.

Besides, criminals tend to bypass locks. They break a window and enter, or smash the door in. A sledgehammer on the door knob works too. If you put a Club on your steering column, they’ll cut into the steering wheel with snips, a hacksaw or whatnot and remove the club with ease. If you want to make your house relatively secure, put anti-shatter security film on your windows, use decent locks, reinforce your door jam, put motion lights around the property, etc. Get an alarm or a dog.

How to Pick Locks

Warded Padlocks

Cheapest type of lock. They work by allowing ‘any key’ that touches the latch to open the lock. Different obstacles are placed in the way to block any ‘unauthorized’ key. So you just have to avoid said obstacles (which are known as wards). Buy a $10 ward key set from any lockpick set. It’ll open any old ward padlock, and the cheapest modern warded padlocks.

The modern warded padlocks are slightly better. Most of them are specifically designed to block that generic $10 ward key set. Still pretty easy to defeat. Take your key. Count the number of things sticking out. Make that many copies of the original key. On each copy, shave off all but one of the bumps. One of said mutilated keys will open every example of that locks, it’s usually the key with the last possible bump furthest from the handle.

Shimming is not “lockpicking”, it’s a bypass. A bypass is a method of opening a lock by going around the actual locking mechanism. A shim is a flexible but slightly stiff piece of metal. It’s very simple to make. Get a Coke can. Cut out a rectangular piece one inch by half an inch. Cut a two V’s on one of the long sides, fold the end pieces over to reinforce the ‘handle’. You should have a V sticking out with a flattened end sticking out of a somewhat reinforced handle. Slide the V side of the shim on the inside of shackle into the padlock. Preferably on the side of the shackle that comes out of the padlock when opened. This trips the latch and opens the padlock.

Professionally made shims are available for sale online. They’re significantly more expensive than a mutilated soda can, so it might be work to buy a six pack and experiment. Even the best made shims won’t last more than half a dozen attempts. On the other hand, some padlocks can be opened by professional shims with relative ease and by the average homemade shim with great difficulty. Try both and see what works for you.

Combination Padlocks

The quickest way to open a combination padlock is to shim it. See above.

There is a HUGE variety of combination padlocks. The industry standard is the Master Lock silver padlock with the black and white dial. They’ve significantly improved over the years. I will give credit where credit is due, Master Lock has greatly improved their security over the years.

This trick worked when I was back in high school, it will probably work on any Master padlock made in the late 80’s to the early 90’s.

To get the first number, pull on the shackle, turning the dial to the left until it stops moving. Add five. To get the second number, reset the lock (spin it a bunch of times), enter the first number, turn to the right past the first number, now start pulling on the shackle as you continue to turn. Eventually it will stop and lock up. While locked up, pull on the shackle and try to turn. If it’s loose, keep going. If it’s very stiff, that’s the second number. For the last number… Enter in the first two combinations, then slowly turn the dial while pulling on the shackle. Eventually it will unlock. Remember, this only works on older Master Locks.

You can try the following for all but the very newest Master Locks. Sometimes it works, sometimes it doesn’t.

Reset the lock (spin the dial a few times). Stop on zero. Apply steady, firm but not insane tension on the shackle. Turn the dial slowly clockwise, eventually it will seize up. Write down the number (it might be between two integers, if so add 0.5). Now start turning counterclockwise. It will again seize up. Write down the number. Add the two numbers, divide by 2, this is your seize point. Release the shackle, turn the dial clockwise one number past the seize point. Reapply tension, repeat the process. You should get 12 seize points. Be sure to write them down.

Once you have found all seize points, knock off any that are not integers. You should have five left. Four of the five will share the same last number. The one of the five that does not share the same last number is the third number of the comination. Divide the third number of the combination by 4, write down the remainder. Now, write down the remainder (and mark it AS the remainder), and start a sequence of adding 4 until you reach the limit of the dial. For example, if your remainder was 2, write down 2, 6, 10, 14, etc. Mark this sequence as possible first numbers of the combination.

Now, if your remainder is 0 or 1, add 2. If it was 2 or 3, substract 2. Start a new sequence, starting with the number you just got. Now continue the sequence by adding 4 to it until you reach the end of the dial. Mark this sequence as possible second numbers of the combination. Remove any numbers within two digits of the third number of the combination. Now, generate a list of all possible combinations from the sequences and the known third number. Should be a total of 80 possible combinations, which is why you want to try to shim the lock.

You can also put the third number of the combination into this website and it will generate a chart for you:

Wafer locks

Wafer locks are similiar to pin tumblers, except they are thin slabs of metal and much closer together. They’re very common in furniture type locks, usually in desks and filing cabinets.

Buy a try-out key set, also called a “jiggler set”. Insert try-out key, jiggle, turn the lock. Very straight forward. There are some specialized picks that can be used, but most often try-out keys are quicker and just as efficient.

One note. Often in office environments, the plug is removable by an extra pin at the end. This ‘master pin’ is the only thing actually holding the entire plug inside the enclosure. if those is the case: use a short hook pick, feel to the end of the wafers, press up, rotate the pick, the plug will come free. You can either flip the pick around and use the other end to open the lock, or (my favorite) insert a new plug to which you have the key.

Pin Tumbler Padlock

See the following entry. Pin tumbler padlocks are opened the same way as a pin tumbler cylinder door lock. These seem to be the most popular padlock for sale in most standard hardware stores and big box stores.

Pin tumbler cylinder

These are the most common locks, just about everywhere except the cheapest and most expensive locks.

See the introduction to lockpicking to get down the basics. Now onto slightly more advanced topics.

Raking. Every beginner does this more or less accidentally. If you are starting off, use only a hook pick to prevent this. A hook helps only raise one pin at a time. Raking does the opposite, you scrub the pins like you are brushing your teeth. But try to do this somewhat more slowly. Regardless of how you wish to rake, insert your rake pick to the rear of the lock and then apply torsion. There are two ways of raking.

First is fast and sloppy is to rake the pins back and forth a few times. If it doesn’t open, release the torsion and restart. The second, slowly rake holding the pick at an upward cant putting more pressure on the pins, but not to an excessive degree. Do this a few times, back to front. If it doesn’t open, slowly release some torsion until you hear the first click. Then repeat the slow back to front raking. You release the torsion because you are jamming pins above the shear line and by releasing some torsion, you are allowing those pins to release but not resetting all of the tumblers. Raking is very hit or miss unless you have a significant amount of practice on a particular type of lock. You might pop the lock much quicker than picking each tumbler individually, or it might take much longer.

Bumping is the most advanced and easiest form of picking a lock. Ever seen those desktop toys with steel spheres are suspended by two wires each? Pick a sphere on either end, slam it into the other spheres, and the sphere on the oppose end goes flying, but the center spheres don’t move? It’s also how billiards works. Basic Newtonian physics. This applies everywhere, even in locks. Bumping borrows on this. Take a key (any key that fits), shave all points down to the minimum depth. You’ll have a row of low even triangles. Optionally and optimally, the first point (furthest from the handle) is slightly higher. But it doesn’t matter too much. Take your shaved key, insert it into a lock all the way, move it back one click, turn it slightly, whack it with a rubber mallet, plastic handle or whatnot. The lock, with practice, pop open.

Believe it or not, bumping works better and quicker on more expensive locks. It often doesn’t work on the cheapest garbage locks. Why? Tolerances. Tighter the tolerance, the better transfer of energy. So, if you have a lock with loose tolerances, it is easy to pick. If you have a lock with tight tolerances that is annoying to pick, it’ll most likely bump pretty easy. Even Medeco High Security locks used at places like the Pentagon, NSA, White House, etc are susceptible to bumping even when they are near impossible to pick. And boy were a lot of said customers happy when “Open in 30 Seconds” was released.

You can probably bump 60% of all pin tumbler locks with a homemade key run through a grinder and the handle of a screw driver. But professional bumping tools are dirt cheap. Buy a Brockhage for $20 and a set of bump keys for $30, and you’ll be able to open 90% of all pin tumbler locks in a few seconds.

A quick word about “lock guns”. They’re often advertised as being the most effective and quickest means of opening a lock. They’re expensive. They’re reliable too, the first time. They’ll open a lock, and maybe destroy it in the process. A lot of ‘professional locksmiths’ use them for opening people’s doors when they’re locked out. They look impressive, expensive and PROFESSIONAL. One in 20 times, they’ll wreck a lock. Sometimes less, sometimes more. Guess it’s hard to charge people an arm and a leg for using $20-50 worth of key bumping to safely open a lock when you can use a couple hundred dollar gizmo that might destroy it. But hey, if you destroy the lock, might get to sell the customer a new one! One that wasn’t so “cheaply” made that it just fell apart for no reason at all…



Unofficial MIT Guide to Lockpicking – Ted the Tool (Sept 1, 1991) – Other books and references existed long before the MIT Guide, but it’s arguably the most popular and should be creditted as a very diverse guide. Highly recommended, anyone interested in physical security should read this first.

CIA Lock Picking, Field Operative Training Manual – Author unknown? – Allegedly written by the CIA. Who knows, I doubt they’ll exactly claim credit for it. Pretty good condense, good material for disk tumbler locks.

TOOOL Bumping Guide – Barry Wels, Rop Gonggrijp (Jan 26, 2005) – Excellent, definitive guide on bumping locks

Locks, Safe and Security (aka LSS+) – Marc Weber Tobias, J.D. – $200 from, sounds expensive? No, not in the least. You’re getting 3700 pages of information. It covers everything from ancient Egyptian locks to modern locks. If you want to get into lockpicking, buy this eventually. Doesn’t have to be your first lockpick reference, but you really want this book.

Stores – Pretty good store that sells lots of good stuff. You might save a dollar or two elsewhere, but these folks have never screwed up a single order I’ve placed with them. Very fast delivery and a large selection of product. Search around online, they usually have discount codes. – Bargain brand, but still very functional. I recommend them for folks just starting out. I still use my first picks I got from them. – Peterson, higher price and quality – Southern Specialities Co – Decent quality, decent prices, high shipping costs – Direct sale store for Brockhage Locksmith Tools, sell Brockhage bump hammers, will not

sell bump key sets – Bump key sets

Lockpick set recommendations

If you are new and want to get into lockpicking, do not buy an expensive kit. Please don’t. Buy something simple. I really recommend making a kit by buying individual picks and torsion wrenches. Buy a couple different picks from different manufacturers, buy a whole mess of torsion wrenches, and pick which ones you like. But if you HAVE to buy one, go with either of the following, or the cheapest other kit you can find. I don’t recommend it, mind you, I’m just pointing them out at the least worst alternatives.

Southord PXS-05L – $16.50 – Four picks, one torsion wrench, one book

Southern Specialities BPS-6 – $9.95 – Four picks, one wrench, one book

Read More

Video and VOIP Vulnerabilities

We have all seen the bad movies where bad guys intercept a video feed from security cameras and replace the live video stream with a false video stream. This was possible using simple CCTV networks, but not easy with video streaming over large IP networks. Now, it’s relatively trivial.

Most of these can be migrated by using VLAN’s to separate data. Unfortunately, tools exist for VLAN hopping. For VoIP specific applications, voiphopper ( can be used to gain access to Voice VLAN ID by emulating a Cisco, Avaya or Nortel IP phone. Most commonly, it is used to spoof an IP Phone CDP packet and create a new Ethernet port based off the VVID. Once access is granted to the VLAN containing voice or video IP phones, VideoJak (, UCSniff ( or other applications can then be used for interception, man-in-the-middle attacks, replay, or any other desired usage. Increasingly, such tools are rolling VLAN hopping into their functionality for ease of usage.


UCSniff has two modes. Monitoring is of only mild interest as unless the enterprise is using hubs or has SPAN turned on, it is not a serious threat. If an attacker gains access to the switches, however, usage of the tool could be more worrisome. Man-In-The-Middle (MitM) mode is more worrisome. UCSniff works by ARP poisoning the network and re-direct traffic to itself. Unless an enterprise is specifically monitoring for ARP poisoning, the effect is entirely transparent to the user. The most effective hostile deployment is to replace an IP phone with a laptop containing UCSniff. This usually guarantees being on the Voice VLAN and therefore, bypasses any necessity for VLAN hopping. Once on the voice VLAN and in MitM mode, a malicious user can passively intercept, jam, alter, or otherwise manipulate the video streams as they see fit using the tool. One can target a specific user or a specific conversation. UCSniff incorporates automatic VLAN discovery via CDP as well as VLAN hopping capacities.

Another interesting usage of the tool, in a Cisco Unified IP Phone environment, is to collect corporate directories. These directories are very helpful in mapping names to specific devices, and can offer a hostile party a more concise list of targets. This is done through an incorporated tool called ACE, Automated Corporate Enumerator, which mimics the behavior of a phone to acquire all of the necessary personnel information in a very short period of time.

One noticeable method of detention is the cessation of UCSniff without re-ARP’ing the targeted clients. They will all crash. If all IP phones crash at one time without any corresponding server or network issues, a hostile party using ARP poisoning may have disconnected without properly resolving clients back to their original information.


VideoJak is a lightweight tool specifically designed for IP video hijacking or denial of service. Its purpose is to intercept video from a feed, capture a stream, and then replay it on the network. It can also be used to intentionally degrade video IP traffic to varying levels. Very simple and straightforward application, but with problematic implications for IP video surveillance and security systems.

Auxiliary Methods

A cruder but efficient method is to use Wireshark to intercept CDP packets, look for “VOIP VLAN Reply”, and use VLAN hop ( or VOIPHopper to alter one’s assigned VLAN to the corresponding VLAN ID found in the intercepted packets. If a switch is insecurely configured, flooding the CAM tables can make a switch perform like a hub allowing an attacker to intercept additional communication.

Countermeasures for a Cisco environment:

• Turn off CDP if possible

• Do not use default VLAN’s under any circumstances

• Restrict VLAN trunking to strictly the VLAN’s used on that specific switch

• Turn on BPDUguard and rootguard

• Set switchport port-security to prevent CAM table attacks, which may be useful in alleviating ARP poisoning

• Apply a VTP domain password

• Monitor for ARP poisoning

• Isolate corporate phone networks from phones in public spaces

• Follow Cisco’s Phone Hardening guidelines (

• Follow NSA’s Switch Configuration Guide (

Read More

Weaknesses in Electronic Locks

The obvious attack vectors for most locks are the authentication medium. RFID’s are notoriously easy to clone, generally up to 10 meters under practical conditions. Their entire functionality is based off modulated backscatter. A burst of radio frequency is generated, and a portion of it is reflected back at the reading device. This portion is modulated into useful information, usually in the form of a unique number. This unique number is most often tied into a central database for authentication. RFID by itself has absolutely no built in security, which must be provided by an ancillary mechanism. The obvious and most common example of an ancillary authentication mechanism is a personal identification number (PIN) entered into a keypad connected to the RFID reader. Many RFID reader manufacturers offer this as an integrated component.

Unfortunately, ancillary mechanisms are likely not enough to provide adequate security. Most networked building access systems do not use encrypted network traffic, rely on persistent TCP sessions and employ predictable sequence numbering. Most push the applicable data sets down to individual readers, which can be compromised en route. Events are often transmitted back to the central control system, which can allow an intruder to intercept employee traffic. Additionally, in some cases, forged commands can transmitted over the network to lock or unlock doors without the need to know any identification.

No publically known building access system currently encrypts its traffic between the door readers and the control system. This would significantly prevent tampering and would prevent intercepted data. It would also prevent all TCP sequence prediction attacks.

Virtually all modern operating systems use means of avoiding TCP sequence prediction. Many embedded systems, especially building access systems, have not yet resolved this issue. This issue was first significantly documented in April 1989 and many solutions were codified into RFC1948 published in May 1996. Transmission control protocol (TCP) is a protocol that attempts to be reliable and is connection oriented. If a number of TCP packets are received, the sequence number is used to reorder the packets into the correct format. If this sequence is easily guessed, a third party could intercept the traffic and quite easily manipulate both original parties into believing the induced traffic is legitimate. This is known as a “man in the middle” (MITM) attack.

The practical example of attacking a door controller is straight forward.

  1. All door controllers typically have the same first four octets of their MAC address, which can be generally located in vendor documentation or through an internet search.
  2. Once a controller with a matching MAC address is located, poison the ARP cache to redirect traffic through the attacking computer
  3. Use wireshark (or other utility) to monitor packets
  4. Open a packet, observe hex stream payload (which is the open or deny command)
  5. Repeat until confident the payload is an open command. Open commands are significantly more common than deny commands. Statistical analysis should be able to differentiate between an open and deny command relatively quickly. Once this payload is known, this step never has to be repeated.
  6. When you wish to open the door, intercept any packet between the control server and door controller. This does not have to be an open or deny command. It can be a Keep Alive or status transmission sent on a regular basis to monitor for network connectivity.
  7. Use a packet forger, add constant to the sequence bits, and send with hex payload for open.

This command will not be logged by the administrative server, as it is sent directly to the door controller.

Additionally, there have been many other generalized developments in the RFID security field as of late. Of which two are rather significant and worthy of attention. A useful device is scheduled for release at the end of August 2009. The ProxPick, developed by Chris Paget and H4RDW4RE, LLC., offers many useful features for 125-134KHz RFID tags. It can selectively act as a reader, a passive sniffer, play back stored RFID data, or jam a reader. This is more advanced and user friendly than the previous preferred RFID reading tools (primarily ProxMark3 and OpenPCD). This tool was discussed by Chris Paget at the RSA and Defcon conferences. Another interesting development is the development of faraday caged apparel. A company called DIFRwear has made a line of wallets, passport cases, and badge holders that block unwanted RF traffic while the apparel is closed. This was brought to significance by potential and/or alleged security vulnerabilities in RFID enabled credit cards. The products are FIPS 201 certified. Other companies have started developing similar clothing or apparel with built in RF blocking properties.


Migrate all building access devices onto a dedicated network isolated from all other traffic. A less secure solution is to migrate all building access devices to a separate VLAN. An attacker can only cause a “Man in The Middle” attack if they can get physical access to the network. Monitor for MITM attacks and related occurrences such as ARP poisoning, which can be accomplished by most intrusion detection systems.


Picking Electronic Locks using TCP Sequence Prediction – Ricky Lawshae, Defcon 17 presentation

“Security Problems in TCP/IP Protocol Suite” ( – ACM SIGCOMM Computer Communication Review, Vol 19, Issue 2, April 1989

“Defending Against Sequence Number Attacks” ( – RFC# 1948, S. Bellovin (AT&T Research), May 1996

H4RDW4RE ( – Manufacturer of multifunctional ProxPick

OpenPCD ( – RFID development tool

Proxmark ( – RFID development tool

DIFRwear ( – Maker of faraday caged apparel, useful in securing RFID communication.

Read More

Guide to Picking Locks on the Cheap for Beginners

Disclaimer: Don’t do anything stupid or illegal. It’s bad. Besides, if you’re reading this, you’re just starting out. Locks are cheap, and I really prefer to practice on my locks while sitting around my place with beer, wine or a cigar. Only practice on your own locks. It’s a lot more convenient and locks aren’t that expensive. Ask people for old locks they lost the keys to, or ones that use combos they forgot. Snag misc keys the same way. Trust me, they’ll be happy to fork over the worthless junk cluttering up their storage space.

Like most geeks, back in high school I was always poking at stuff to learn about this whole new world thing. Three things caught my attention: computers, locks and books. I was probably one of the few kids to ever get in trouble on a regular basis for reading during class. I’d finish the textbook in a couple days (and generate solutions for all of the problems, early brute forcing skillz) and move onto whatever interested me. My parents were never quite sure if they should be happy or upset at that discipline issue. Anyways, something that caught my eye were the dinky cheap Master locks that everyone was mandated to buy. I noticed that if a student forgot a combination, the facilities folks never cut the padlock off but used a master key to open any lock. That interested and annoyed me. First off, I didn’t like the fact that anyone could open my locker without my knowing, and second, I wanted to know how to that. I “lost” my padlock a couple times, forcing my parents to buy me new ones. (I was a sneaky devil of a child, if you can’t tell.) I disassembled a couple and the rest I experimented on.

Through my experiments, I was horrified to learn the secrets of the padlock. It was… bad. I learned that it’s called a “warded lock”. The lock employs obstructions to block a key. If you get by these obstructions, you open the lock. Snagging a ton of keys from students at the end of the year, I experimented in mutilating the keys to avoid these obstructions. I ended up making my own “master key” that had all bumps shaved down but one. And it opened any Master lock. Now, you can buy “warded key sets” or “warded picks” online for $10. It’s a set of five types of “master keys” that open nearly any warded lock. Horrible friggin security, but they’re cheap and keep honest people honest.

A master key wasn’t very exciting to the average 15 year old. It doesn’t have good presentation value to the ladies and the only slightly more appreciation among the crowd of my peers. So I wanted to find other ways to pick a padlock that looked more difficult and impressive. Eventually I found a way to make a lock think it should be open. I cut up a soda can, forming an M the size of a nickel. I bent the two side pieces back to re-enforce the ‘handle’ and would slip it into the crack between the shackle and the body of the lock. It’d touch the latch holding the shackle closed and spring it open. This is called “shimming”, with the devices called “shims”. Sweet, we’re lockpicking like the movies now!

Pretty impressive, but not good enough. I did some research and found a program for the TI-81 calculator. You’d clear the lock by spinning the dial a bunch of times. Pull on the shackle, it’d bind up on one of the digits. I don’t recall the reset, but I’d punch them into the calculator and it’d give me a list of ten combos. Could be the first, could be the last. So I practiced quite a bit at entering combos. I finally had an impressive (to 15 year olds) act to crack the locks that wasn’t too easy, but not too hard. I got pretty good at the most inefficient means of cracking a Master lock.

Next up, I wanted to learn how most doors worked. Again, easiest way to figure something out when you’re an impatient kid, bash it open with something heavy and figure out how the pieces go together. Come to think of it, that’s still my primary engineering strategy… So I got some door knobs, bashed them open and studied the components. Significantly, significantly different. Much better design. Much harder to crack but shimming still works. Folks think a credit card is handy, but you want something a bit more flexible. Blockbuster card works pretty well, and they’re generally nice about replacing them after you mutilated it. Or you can buy overly expensive flexible metal gizmo’s to do the same task. Whatever works.

Nearly all door locks are pin tumbler locks. You have a cylinder with an opening for the key that rotates to open the lock. Internally, there are a row of pin tumblers. These pins are on springs, and they prevent the cylinder from rotating. They’re usually of different lengths (hence why your keys have all those bumps). Push the pins up a specific amount, and the cylinder freely rotates. These locks can primarily be picked because the pins are of slightly different sizes and tolerances. The lockpicking is essentially turning the cylinder so the pins are jammed between the cylinder and the rest of the assembly. One pin is binding more than the rest. Push that one up, and now it can’t go back down. Find the next pin offering the most resistance, and so forth.

Enough with the boring exposition. Now, onto the exciting part. Let’s pick a lock.

First, what you need to pick a lock. Locate the following.


You need a lock, a multi-tool (buy a decent one), and two paper clips. That’s it. No, seriously.

Find or buy a doorknob. Any will do. Find the nearly cheapest door lock you can find. Unlock it. Look for a hole between the door knob and the part normally touching the door. Move it around until the holes line up. Stick a small screw driver in it. Wiggle around. The doorknob should come off. Now, there should be a notch in the back of the door knob. Stick your screw driver in it, and wiggle off the ring on the back of the doorknob. Now wiggle out the lock cylinder out of the doorknob. Ta’dah!

The lock assembly you are now holding in your hands is a pin tumbler lock, with between five and seven tumblers. That’s a lot for someone just starting out. There should be a block sticking out of the cylinder shaped thing. On top of that block should be a metal cover. We want to remove it. Break out your trusty multi-tool or pliers. Remove the cover. If there are indentations in the top (most likely), you need to pry perpendicular to the angle of that the key is inserted. Watch out, the springs may shoot out. Once you remove the cover plate, use your multi-tool to crush the indentations to being level with the rest of the plate. Now, dump out the contents of the lock. You should get five or six springs, and twice that number of brass pins. One set will be virtually identical. The rest will be slightly longer or shorter. Take ONE of the brass pins from that are virtually identical and drop that one in the first hole closet to the key hole, then drop in one of the variable length brass pins and lastly drop in a spring. Now, slide the cover plate back on. Use your multi-tool to crimp it back into proper shape, but being relatively easy to slide on and off.

We now have a one tumbler lock.

Take two paper clips. Nice mid-sized metal ones. Straight one out into a line, then hold one end into a handle. The other, take the middle loop of metal and bend it out until it is perpendicular to the larger loop, forming an L. Crush the inner loop slightly with your multi-tool. Insert the smaller loop end of the L into the bottom of the lock, away from the pins. Congratulations, you have just made your first lock-pick. It’s a torsion wrench (most often incorrectly called a tension wrench). Your straight line with a handle paper clip is now a “pick”.

Play around with your torsion wrench. You want to make it stick out at a comfy angle. Push on it just slightly with a finger, preferably the same one holding the cylinder. It should also be out of the way so you can freely move your pick.

Here is a way of holding the cylinder and torsion wrench.

Approach 1

And another.

Approach 2

Now, put your lock-pick in the keyhole and probe around inside the lock. Get a feel for the inner dimensions of the lock, without all the pins in it. After you get a feel for the dimensions of the lock, find the tumbler. Put a slight amount of torque/pressure on the torsion wrench and slowly push the pin up. You’ll have to play around a bit with how much torque you’re putting on the lock. You shouldn’t need a lot. You might have to work the pin a few times. When it gets to the right spot, the lock will freely turn. Congratulation, you picked your first lock.

Remove the cover plate from the top of the lock, move the tumbler to another hole. Repeat a bunch of times. It should be pretty easy after the first few tries. Now, let’s make things more complicated. Toss in TWO tumblers. After you apply torque and you start probing the tumblers, you should notice one of the tumblers offers noticeably more resistance. That’s the tumbler with the pin that is binding. Press that tumbler up first. Then press the looser tumbler up secondly. It may now offer more resistance than the previous time you pushed on it, as it’s now the pin that is binding.

Stick with the two tumblers for a while. Move them around between the different openings. After you’re really comfortable, you can start adding more tumblers.

If you’d like an unsolicited suggestion. Don’t buy a “lock picking set”. They’re really overpriced and include lots of stuff you don’t need. Buy a torsion wrench (aka a tension wrench) and a half-diamond pick from any locksmith supply company on the internet. They should be a couple of bucks each. Don’t pay more than roughly $5 for either. You might want to consider buying a couple different variations of the tension wrench and half-diamond pick. You can buy nicer picks later if you really like lockpicking.

Read More