Project JPEG to Matrix

There are times when I hate linux very, very much. Usually when it involves drivers and odd hardware. Other times, I rather love it. For instance, if you want to turn any picture into a Matrix style looking picture. Don’t ask why I’d want to do such a thing, I’m not sure myself.

revdisk@linuxVM01:~$ sudo apt-get install aview
revdisk@linuxVM01:~$ convert OriginalPhoto.jpg Converted01.ppm
revdisk@linuxVM01:~$ aview -width 135 -height 57 -dim -bold -reverse -normal Converted01.ppm

Cheated and screencaptured the window. Saved as Converted02.png

revdisk@linuxVM01:~$ convert Converted02.png Converted03.ppm
revdisk@linuxVM01:~$ convert -colorize 83/1/100 -crop 1080×720+0+10 – geometry 720×480 Converted03.ppm Converted04.ppm
revdisk@linuxVM01:~$ convert Converted04.ppm MatrixFinal.jpg

End result:

Matrix ish Photo

Read More

Scanning Electron Microscope Analysis of Pin Tumblers

Naturally, everyone knows picking locks makes some sort of marks on the pins. Steel is harder than brass, ergo it’s pretty likely to scrape away brass material. I got interested and looked around a bit. I saw a couple decent photos taken with a high MP camera and cropped, but nothing truly showing close up shots. So, I decided to toss a couple pins under an scanning electron microscope. I didn’t happen to have one in my kitchen, so I went to the logical folks. Nanotech physics geeks, of course.

I went to the local Target and picked up three Master branded doorknobs. I liked the brand, as they seemed decent quality but not overly expensive. One was left pristine, one was picked, and one was bumped. I bagged all three cylinders and mailed them off along with a couple bags of candy. If you ever want to get geeks to do something, bribe them with sugar and/or caffeine. In this case, I decided to entertain myself by sending them Smarties and Nerds. I was gonna include a bag of Dum-Dums for the nano geeks to give to the chemistry department, but decided that wouldn’t be nice.

Anyways, onto the photos:

I chopped down the photos a bit to save on bandwidth. Download and zoom to view properly. If anyone really wants the larger files, let me know. They’re not substantially different than if you just zoomed in on the provided. All pins were imaged, and numbered from front to back. Pin 1 being closest to the keyway, Pin 5 being furthest in.

Pristine Cylinder, Pin 5, Photo C


I noticed deep, long scratches even on the unused cylinder. Likely they tested a key at the factory. They were on all pins in all cylinders tested. Often one long scratch, and several smaller ones at different angles.

Pristine Cylinder, Pin 5, Photo D


Different shot of the same pin. You can notice some surface deformation from manufacturing.

Pristine Cylinder, Pin 2


You may notice black specks in various photos. This is primarily dust, but occasionally specks of brass or other contaminates. This is a 100 micron shot of one example of a piece of dust.

Picked Cylinder, Pin 1, Photo B


And now we get to the interesting part. You can fairly clearly see evidence of picking. It does not look even remotely like the key marks. They are significantly less uniform in both length and angle, as keys generally do not have that much play when entering or leaving a lock. The most telling factor (if you look closely) is that they damage the edges of the pin. While key marks do leave scrapes on the pins, they do not mutilate the edges of the pins anywhere near to the same level as picking.


Here is a close up shot of the edge of Picked Cylinder, Pin 1. The edge mutilation is quite visible.

Picked Cylinder, Pin 1, Photo C


Another shot of Pin 1.

Bump Cylinder, Pin 2, Photo B


The evidence of bumping is slightly harder to see at first glance. Bumping appears to leave deeper key marks. Occassionally these key marks are punctuated, like dashes. Regular key marks are long, smooth scrapes.

Bump Cylinder, Pin 2, Photo C


Another shot of the same pin. Note the punctuated key marks.

Bump Cylinder, Pin 3, Photo C


Bumping also plays hell on the edges of a pin. Very deep key marks.

Bump Cylinder, Pin 5, Photo D


Nice clear photo of both punctuated key marks and deep key marks on the edge of the pins.

Pristine Cylinder, Pin 3, Photo C

50 micron shot of a key mark. Key marks are approximately 25 microns wide.

Pristine Cylinder, Pin 3, Photo N


Another 50 micron shot of a key mark.

Picked Cylinder, Pin 3, Photo A


Clear shots of pick marks at the edge of a pin

Picked Cylinder, Pin 3, Photo C


Closer shot of pick marks

All images courtesy of Jeff Doughty and the Nano-Development Lab at Portland State University.

Read More

Thoughts on Taser C2

Disclaimer: While I believe the Taser is not a product I would own or rely upon for my safety, I am NOT an expert. All of my information is based off the product marketing material, the Taser website, and conversations with Taser users (LE, instructors, etc). You should do your OWN research and make your own choices. The following rant is entirely geared around my own assessment for my own situation and the single case cited in the rant. YOUR situation is entirely different and thus my rant probably does not apply well to you.

Tasers are less lethal weapons. They are not 100% safe (safe being nonlethal), and cannot be. Any weapon capable of incapacitating someone in a semi reliable manner has the chance of killing. This should be drilled into anyone’s head before they use a weapon. If a suspect dies from a tasing, it should be reviewed in exactly the same manner that using a firearm would generate. Lethal force is lethal force, regardless of whether a suspect was shot, tased, or brained with a baton. “But I used a taser!” is not and should not be a defense. Mind you, I’m not saying an officer or non-LE person is automatically in the wrong if any suspect dies (regardless of method used), far from it.

Personally and professionally, I find Tasers to be not a good product. Not from a “don’t tase me bro” anti-police way. Bit of background, I’m a “security specialist” in a generic sense. Information security, IT security, physical security, etc. When I look at something, I ponder all of the strengths and weaknesses.

One day an acquaintance asks me about Tasers. She works with a lot of cash and occasionally has to transport it. Her company allowed and encouraged carrying a Taser. She asked me what I knew about them. Aside from learning about them in a basic sense back in the military along with other less lethal weapons for crowd control, I didn’t know much. Thankfully, there’s a EMS/fire/LE/etc supply store across the street. So I went across the street and learned more about them.

First off, two models. LE and a “civilian” model, the Taser C2. (The clerk didn’t like when I joking pointed out that police are civilians too, which was even more amusing.) I didn’t ask too much about the LE version, as my acquaintance was interested in buying one of the cute looking C2 models. The civvie model is light, curvey and non-threatening looking. It’s called the Taser C2, and is visually packaged to express the impression of “consumer electronics” instead of weapon. But hey, that’s just aesthetics. Nothing wrong with that. So let’s move on to why it’s a bad product that is dangerous to the user.

It fires a single cartridge costing $25, which contains compressed air, wire, barbs, etc. And allegedly some kind of micro-ID thingies that can potentially be used to identify a perp as well as the owner. There is no OEM training cartridge for the civvie model. Which means you CANNOT safely test the device unless you’re handy with electricity and know how to safely ground something conductive. There is no way to turn off the juice, so it is risky to test the Taser on anything that is conductive and improperly grounded. Besides it being insane to never being able to safely test and practice with an allegedly life saving device, why is this worrisome?

If you did not read the manual, did not test the device and need to use it in self-defense, you will quickly learn that you have been hauling around a $350 ish paperweight. See, the device needs activation.

I swear to the gods, I am not lying. A weapon that needs permission before usage. I find the concept horrifying, personally, but I guess certain folks would love it. Here is the proof: You must pay an additional fee for a private company to conduct a background check. If you do not pass or don’t activate the product, the Taser C2 is disabled. If the person processing the request makes a mistake or the necessary IT equipment malfunctions, you are out $350 for the device and another $10 for the background check. Since it is a private company, there is no oversight or accountability laws to govern its background checks. And since you can’t safely test it, you have no guarantee that your unit will function as it is needed to function. If you somehow can safely test the unit, it is $25 per functionality check.

Why is this? So if a felon buys a Taser, he can’t use it. Yes, that is the company’s exclusive justification for such a radical product flaw. Because no felon would lie and give false information to Taser’s activation folks, or pay someone else to activate the Taser. Felons are known for their scrupulous honesty and for never lying to suit their own needs.

Let’s ignore the fact that you also handed over your name, address, driver’s license and other deeply personal information to a company. An identity thief’s dream. I wonder how much they pay their data entry clerks? Enough that they wouldn’t be tempted to earn some side cash selling your information? This also assumes the company will not give out your personal information or sell it. Let’s also ignore the deeply offensive treatment of their customers. Each and every customer is treated like a potential criminal at best, and like a mindless child at worst. It is their company, and they can make a buck however they choose.

Well, let’s move onto usage. The design is only practical if you have one attacker. It converts to a “stun gun” if the cartridge is expended (and the unit is not disabled), which is a nice thought and only slightly less useful than having a heavy rock. It allows you to zap a person up to 50 times. But the official usage doctrine for the C2 is to press the button (the C2 model gives shocks in 30 second durations), drop the unit, run to a safe location and call 911. So following that logic… the manufacturer specifically suggests the unit is near useless against more than one aggressor. Unless you carry multiple Tasers, of course.

A $2 knife is starting to sound like a more durable, better designed and significantly safer weapon. I’d buy my acquaintance a full auto MP5 and pay an insane retainer to the sharkyist defense lawyer in the region before I could in good conscience pick up a Taser for her. Hell, I’d buy her a rock before I’d buy her a Taser. Thankfully, the tasteful PR DVD included in the product packet was enough to convince her that they are a really bad idea. It’s a dangerous, poorly designed, and hideously expensive weapon with limited functionality. She’s leaning towards a Keltec or a XD compact.

Read More

Physical Security Countermeasures


The three most common ways of illegally entering a house is kicking in the door, breaking a window and drilling.

Doors are the usual way of entering and leaving a residence. They should and do receive a significant amount of attention, but oddly, 90% of doors are poorly secured. Most doors sold in America frankly suck. They are either metal or wood. Ironically, solid wood doors are usually the more secure. Most wood doors are not solid one piece construction, but often cheap relatively soft light wood with an appealing veneer. Any wood door with deep sections cut out of the door for aesthetic purposes is not recommended. Most residential metal doors are a very light gauge steel of dubious quality. They are near universally hollow or foam filled. At the moment, there are no brand of doors that I would unhesitatingly recommend. It’s usually cheaper to make your own. Laminate a few sheets of decent gauge sheet steel, optionally adding insulation between layers. Glue on wood veneer for pleasing aesthetics. Use three or four decent hinges and the door should still open rather cleanly.

Even with the generally poor quality of locks on residential homes, often the locks are stronger than the door and door jamb. The most common occurrence when a door is kicked is for the latches of the doorknob and deadbolt to rip through the thin surrounding material or for the lock to rip through the door. There is a very simple and relatively inexpensive solution. Reinforce the door jamb. I highly recommend DJ Armor (, but other cheaper versions are better than nothing at all. Your reinforcement kit should include decent gauge metal to go on both sides of the door and a U shaped square of metal to go around the lock.

Here is a somewhat cheesy video demonstrating the product:

One thing that door lamb reinforcing kits will only somewhat help alleviate is a splitter. Basically, imagine a car jack, turned sideways. You crank the jack until the frame is warped and latches are no longer protruding into the door frame. The only solution is to have heavy structural material around the door. Good brick, strong stone, cinder block or concrete. It’s not widely used, as it’s not quick, requires specific equipment, very noticeable and not very subtle. There is a relatively easy if inconvenient solution, a cross bar on the inside of the door that well connected to the frames. It’s not a likely threat, so the solution isn’t really recommended.

If you wanted to be cost effective, you could install a more robust jamb reinforcement setup on one door and devices like “Door Club” (or any other door brace) on any other door. Door braces are pretty simple. You install a device that prevents the door from opening whatsoever when installed. They vary in quality, but they’re pretty cheap and work “well enough” if the door is reasonably well constructed. Downside, of course, is you can’t open the door from the outside and you have at least one hole in your floor.

A very obvious problem is any openings (or potential openings) within arms reach of the locks. Windows, especially. Same theory applies for mail slots, wide gaps between the door and frame. If this applies, buy and install a double cylinder deadbolt. This is a keyed opening on both sides of the door and no latch to automatically open the door. Many such deadbolts include a special “inside only” key. Most people just hang it across from the door, but well out of reach. This is a perfectly valid solution.

If the door surface is flush to the door jamb, it’s easy to shim the door. aka, the old credit card trick. Don’t actually use a credit card. A bendy piece of metal works better. You use it to trip the latch and make the door think it’s currently open. If this is truly problematic, you probably want a different door or door frame. A field expedient solution is to install metal slab covering the latch area. It can be sawed with relative ease, but it’d stop or slow a shim which ordinarily take seconds. Do not use a lever doorknob on the inside of the door if at all possible. They are significantly easier to manipulate with a wire or whatnot.

The most simple and cheapest way to help secure your door is the hinges. These are often overlooked. Use some form of security hinge. Non-removable hinges have a set screw to retain the pin that is only accessible when the door is open. Safety stud hinges have a chunk of metal that sticks out of one side of the hinge to a corresponding hole on the other side of the hinge. If the pin is removed from a safety stud hinge, the door cannot be opened due to the interfering stud. Crimped pins are riveted into place and the pin is not removable. Hinges, even really secure ones, are very cheap. $10 for top of the line hinges is not uncommon. Go insanely speedy on hinges, they’re very often overlooked.

Garage doors are another lovely weak point. Change any remote garage door opener from the default combination. Remove the emergency pull rope on the inside of the door if practical. If not practical, shorten it and do not put it in a loop that is easy to snag with a shim. When you are leaving for an extended period of time, disable the garage door opener, disengage the mechanism, and use at least one padlock on the door on the inside. I personally recommend securing any door between your garage and your house like an external door, but most people do not.

Ok, enough of that. Now onto the fun stuff, locks. If you want to go the cheaper route, buy any doorknob you like and install a very good deadbolt. You don’t want to reverse that. Doorknobs by their nature are easier to attack. For cheaper doorknobs, you can remove the handle with a set of pliers or a small sledgehammer, then use a screwdriver to turn the door mechanism. Even the best doorknobs are vulnerable to this, just requiring significantly more force or time until failure.

Deadbolts. I really, really recommend an Abloy. Obviously, I’m really into lock picking. I have never, once heard about someone picking or bumping an Abloy. Not even dubious second or third hand accounts. The only weakness I’m familiar with is a specialized drill head sold in Europe to licensed locksmiths, which is obviously and definitely not a “nondestructive entry” method. Conventional drills will work. Eventually. If they don’t burn out the drill…

Now, again, you get what you pay for. You can go with an Abloy cylinder in a third party deadbolt case, which is cheaper, $120 at and is a ANSI grade 2. Or you can go whole hog, ANSI Grade 1 or Or you can take a step down and go with a Medeco. Medeco is first tier and it’d do you just fine. It’s used at the Pentagon, White House, etc. But it’s significantly less secure than an Abloy. Medecos are vulnerable to bumping. They are/were King of the Mountain, and folks REALLY threw themselves at it. The result is “Open In 30 Seconds” which is an entire book entirely on cracking Medeco locks. I don’t really recommend the BiLock deadbolts, though it is considered a first tier product. All three would do you just fine, I’m just being a security geek and pointing out theoretical attack vectors that are possible but pretty highly unlikely.

If you do go with an Abloy, you can almost always get your locks same keyed at little to no cost. You’d probably want that if you get a new knob set along with a new deadbolt. One bit of warning, GET EXTRA KEYS. If you lock yourself out, your locksmith is going to alternate staring at the door and staring at you. He’s expressly NOT going to be able to fabricate keys for you. That’s kinda the whole point. Oh, bonus, Abloy keys are interchangeable on the same platform. You can get any number of deadbolts, door knobs and padlocks keyed to the same key with ease. It just has to be the same line of cylinder. Elite, Protec, whatever.

Now let’s jump into the ultra paranoid realm for a second. I’m not advocating any of these, as it’s seriously overkill for any home. First is shielding. Even the best locks are vulnerable to denial of service attacks. Usually juvenile delinquents that insert glue into a lock. To prevent denial of service attempts and even more drill resistance, you want to combine an Abloy and a Drumm Security Geminy Deadbolt Shield. With a high performance drill, you might drill through both in roughly… hour or two. Mind you, that’s with the best drill and bits. A regular handheld? I dunno, eight or nine hours if at all. For even more security, Abloy offers various levels of key protection. For an extra couple bucks (per key, not per lock), you can buy a different key profile. If you bought this, only the original vendor and the factory have the replacement keys. No other vendor or locksmith could reproduce your keys. The vendors and factory would only release new keys under very strict procedures. Defense in depth. You could install a door jamb reinforcement kit on a bedroom door, and a no-key latch-only deadbolt. If someone were to break in, you’d gain extra time to secure weaponry or dial 911. Also, it is possible to remove peepholes from a door and install one in the opposite direction.

That’s enough on doors. Now onto…


First rule. Film all accessible windows or glass. If it’s on the ground floor, definitely film. If it’s on the second floor… Strongly consider it. I strongly recommend ShatterGARD ( Other security films may or may not be just as good, thoroughly review before purchasing. I extremely strongly recommend getting it professionally installed. It’s really easy (slap on, mist with liquid, squeegee) but you really don’t want to blotch the job.

Here is a mildly cheesy video demo:

Windows are hard to give specific advice, because they greatly vary. Consider installing real locks on the windows. You can improvise on a temporary basis by cutting some wooden dowels to size to prevent the windows from being jimmied open while you’re gone. These are excellent:

You could get by with any hasp and a padlock if you wanted an ugly but efficient install. Line up the hasp, use a magic marker to fill in the holes, remove hasp, drill a thin pilot hole, line up hasp again, inject in some glue, drill in nice deep wood screws of good quality. Cyanoacrylate is great, but you need to move quickly and it’s very unforgiving of error.

Full length door windows = bad. Very bad. Immediately install a double cylinder deadbolt. Even a kwikset double cylinder deadbolt would a thousand times more secure than a single cylinder Abloy deadbolt in this case. You could film the door window and it’d be ok (but not good). Consider reinforcing the window frame. I’d recommend, if financially capable, eventually replace that door. Don’t even consider a door brace for the door with a full length window. If they can SEE the door brace, they’re going to go through the glass.


Work from the worst problems to the mildest. You do one bit at a time if you’re financially limited or pick and choose if you feel any of the above is overkill. Just always remember, physical security is only as strong as the weakest link.

Regardless of your cash level: Wooden dowel the windows when you’re gone, secure garage when you’re gone, immediately and without delay install double cylinder deadbolt if you have glass near the deadbolt. Security hinges are a must and dirt cheap.

Read More

A More Comprehensive Guide to Lockpicking

Legalities, Rationalities, etc

Don’t break the law. Lawyers are not cheap, and jail is not a pleasant place. Just buy a lock. It’s easier to work and it’s legal. If you’re low on cash, ask friends, family and coworkers for locks with no keys. You can easily fashion your own tools and such if need be.

Now, you might ask, why teach people to break the law? Trust me, I’m not. Some criminals could teach a master locksmith plenty of tricks that are completely unknown to the legitimate locksmithing trade. This is not speculation. I have known roughly a dozen guards from various high security prisons. With few tools (of a kind a guard is willing to hand to a convict), a prisoner could pop open a car or truck door in seconds on demand.

I am a security geek. Any information security professional will tell you, it’s nice to have an expensive firewall, good patch regiment, good policies, and all that. But does that help you if someone steals your physical server? I’ve seen data center doors opened with a Blockbuster card, and I’m not being sarcastic. Most locks suck. They really suck. Computer security has made huge progress over the last ten years, due to full and open disclosure. Rather than suppressing vulneralities, systems were put into place to collect security issues, get manufacturers to fix the issues, and publish the fix. There is always a worry that publishing a fix will tip bad guys to how to exploit a vulnerability. Regardless of how the bad guys are tipped off, a vulnerability exists whether it’s publically known or not. Most of the time, it is virtually impossible to know if the bad guys know about a vulnerability unless they publically expose their finding.

The lock industry and the locksmith industry often do not believe their customers have a right to know what they are getting for their money. A lot of folks think differently. Regardless of knowledge, a lock is either secure or it is not. Knowledge doesn’t change the physics of a lock. If you’re reading this, go ask a random stranger nearby how secure their locks are. If they don’t answer, “Could be opened in a few seconds, with no damage or apparent evidence”, they are not well informed. They should be.

Besides, criminals tend to bypass locks. They break a window and enter, or smash the door in. A sledgehammer on the door knob works too. If you put a Club on your steering column, they’ll cut into the steering wheel with snips, a hacksaw or whatnot and remove the club with ease. If you want to make your house relatively secure, put anti-shatter security film on your windows, use decent locks, reinforce your door jam, put motion lights around the property, etc. Get an alarm or a dog.

How to Pick Locks

Warded Padlocks

Cheapest type of lock. They work by allowing ‘any key’ that touches the latch to open the lock. Different obstacles are placed in the way to block any ‘unauthorized’ key. So you just have to avoid said obstacles (which are known as wards). Buy a $10 ward key set from any lockpick set. It’ll open any old ward padlock, and the cheapest modern warded padlocks.

The modern warded padlocks are slightly better. Most of them are specifically designed to block that generic $10 ward key set. Still pretty easy to defeat. Take your key. Count the number of things sticking out. Make that many copies of the original key. On each copy, shave off all but one of the bumps. One of said mutilated keys will open every example of that locks, it’s usually the key with the last possible bump furthest from the handle.

Shimming is not “lockpicking”, it’s a bypass. A bypass is a method of opening a lock by going around the actual locking mechanism. A shim is a flexible but slightly stiff piece of metal. It’s very simple to make. Get a Coke can. Cut out a rectangular piece one inch by half an inch. Cut a two V’s on one of the long sides, fold the end pieces over to reinforce the ‘handle’. You should have a V sticking out with a flattened end sticking out of a somewhat reinforced handle. Slide the V side of the shim on the inside of shackle into the padlock. Preferably on the side of the shackle that comes out of the padlock when opened. This trips the latch and opens the padlock.

Professionally made shims are available for sale online. They’re significantly more expensive than a mutilated soda can, so it might be work to buy a six pack and experiment. Even the best made shims won’t last more than half a dozen attempts. On the other hand, some padlocks can be opened by professional shims with relative ease and by the average homemade shim with great difficulty. Try both and see what works for you.

Combination Padlocks

The quickest way to open a combination padlock is to shim it. See above.

There is a HUGE variety of combination padlocks. The industry standard is the Master Lock silver padlock with the black and white dial. They’ve significantly improved over the years. I will give credit where credit is due, Master Lock has greatly improved their security over the years.

This trick worked when I was back in high school, it will probably work on any Master padlock made in the late 80’s to the early 90’s.

To get the first number, pull on the shackle, turning the dial to the left until it stops moving. Add five. To get the second number, reset the lock (spin it a bunch of times), enter the first number, turn to the right past the first number, now start pulling on the shackle as you continue to turn. Eventually it will stop and lock up. While locked up, pull on the shackle and try to turn. If it’s loose, keep going. If it’s very stiff, that’s the second number. For the last number… Enter in the first two combinations, then slowly turn the dial while pulling on the shackle. Eventually it will unlock. Remember, this only works on older Master Locks.

You can try the following for all but the very newest Master Locks. Sometimes it works, sometimes it doesn’t.

Reset the lock (spin the dial a few times). Stop on zero. Apply steady, firm but not insane tension on the shackle. Turn the dial slowly clockwise, eventually it will seize up. Write down the number (it might be between two integers, if so add 0.5). Now start turning counterclockwise. It will again seize up. Write down the number. Add the two numbers, divide by 2, this is your seize point. Release the shackle, turn the dial clockwise one number past the seize point. Reapply tension, repeat the process. You should get 12 seize points. Be sure to write them down.

Once you have found all seize points, knock off any that are not integers. You should have five left. Four of the five will share the same last number. The one of the five that does not share the same last number is the third number of the comination. Divide the third number of the combination by 4, write down the remainder. Now, write down the remainder (and mark it AS the remainder), and start a sequence of adding 4 until you reach the limit of the dial. For example, if your remainder was 2, write down 2, 6, 10, 14, etc. Mark this sequence as possible first numbers of the combination.

Now, if your remainder is 0 or 1, add 2. If it was 2 or 3, substract 2. Start a new sequence, starting with the number you just got. Now continue the sequence by adding 4 to it until you reach the end of the dial. Mark this sequence as possible second numbers of the combination. Remove any numbers within two digits of the third number of the combination. Now, generate a list of all possible combinations from the sequences and the known third number. Should be a total of 80 possible combinations, which is why you want to try to shim the lock.

You can also put the third number of the combination into this website and it will generate a chart for you:

Wafer locks

Wafer locks are similiar to pin tumblers, except they are thin slabs of metal and much closer together. They’re very common in furniture type locks, usually in desks and filing cabinets.

Buy a try-out key set, also called a “jiggler set”. Insert try-out key, jiggle, turn the lock. Very straight forward. There are some specialized picks that can be used, but most often try-out keys are quicker and just as efficient.

One note. Often in office environments, the plug is removable by an extra pin at the end. This ‘master pin’ is the only thing actually holding the entire plug inside the enclosure. if those is the case: use a short hook pick, feel to the end of the wafers, press up, rotate the pick, the plug will come free. You can either flip the pick around and use the other end to open the lock, or (my favorite) insert a new plug to which you have the key.

Pin Tumbler Padlock

See the following entry. Pin tumbler padlocks are opened the same way as a pin tumbler cylinder door lock. These seem to be the most popular padlock for sale in most standard hardware stores and big box stores.

Pin tumbler cylinder

These are the most common locks, just about everywhere except the cheapest and most expensive locks.

See the introduction to lockpicking to get down the basics. Now onto slightly more advanced topics.

Raking. Every beginner does this more or less accidentally. If you are starting off, use only a hook pick to prevent this. A hook helps only raise one pin at a time. Raking does the opposite, you scrub the pins like you are brushing your teeth. But try to do this somewhat more slowly. Regardless of how you wish to rake, insert your rake pick to the rear of the lock and then apply torsion. There are two ways of raking.

First is fast and sloppy is to rake the pins back and forth a few times. If it doesn’t open, release the torsion and restart. The second, slowly rake holding the pick at an upward cant putting more pressure on the pins, but not to an excessive degree. Do this a few times, back to front. If it doesn’t open, slowly release some torsion until you hear the first click. Then repeat the slow back to front raking. You release the torsion because you are jamming pins above the shear line and by releasing some torsion, you are allowing those pins to release but not resetting all of the tumblers. Raking is very hit or miss unless you have a significant amount of practice on a particular type of lock. You might pop the lock much quicker than picking each tumbler individually, or it might take much longer.

Bumping is the most advanced and easiest form of picking a lock. Ever seen those desktop toys with steel spheres are suspended by two wires each? Pick a sphere on either end, slam it into the other spheres, and the sphere on the oppose end goes flying, but the center spheres don’t move? It’s also how billiards works. Basic Newtonian physics. This applies everywhere, even in locks. Bumping borrows on this. Take a key (any key that fits), shave all points down to the minimum depth. You’ll have a row of low even triangles. Optionally and optimally, the first point (furthest from the handle) is slightly higher. But it doesn’t matter too much. Take your shaved key, insert it into a lock all the way, move it back one click, turn it slightly, whack it with a rubber mallet, plastic handle or whatnot. The lock, with practice, pop open.

Believe it or not, bumping works better and quicker on more expensive locks. It often doesn’t work on the cheapest garbage locks. Why? Tolerances. Tighter the tolerance, the better transfer of energy. So, if you have a lock with loose tolerances, it is easy to pick. If you have a lock with tight tolerances that is annoying to pick, it’ll most likely bump pretty easy. Even Medeco High Security locks used at places like the Pentagon, NSA, White House, etc are susceptible to bumping even when they are near impossible to pick. And boy were a lot of said customers happy when “Open in 30 Seconds” was released.

You can probably bump 60% of all pin tumbler locks with a homemade key run through a grinder and the handle of a screw driver. But professional bumping tools are dirt cheap. Buy a Brockhage for $20 and a set of bump keys for $30, and you’ll be able to open 90% of all pin tumbler locks in a few seconds.

A quick word about “lock guns”. They’re often advertised as being the most effective and quickest means of opening a lock. They’re expensive. They’re reliable too, the first time. They’ll open a lock, and maybe destroy it in the process. A lot of ‘professional locksmiths’ use them for opening people’s doors when they’re locked out. They look impressive, expensive and PROFESSIONAL. One in 20 times, they’ll wreck a lock. Sometimes less, sometimes more. Guess it’s hard to charge people an arm and a leg for using $20-50 worth of key bumping to safely open a lock when you can use a couple hundred dollar gizmo that might destroy it. But hey, if you destroy the lock, might get to sell the customer a new one! One that wasn’t so “cheaply” made that it just fell apart for no reason at all…



Unofficial MIT Guide to Lockpicking – Ted the Tool (Sept 1, 1991) – Other books and references existed long before the MIT Guide, but it’s arguably the most popular and should be creditted as a very diverse guide. Highly recommended, anyone interested in physical security should read this first.

CIA Lock Picking, Field Operative Training Manual – Author unknown? – Allegedly written by the CIA. Who knows, I doubt they’ll exactly claim credit for it. Pretty good condense, good material for disk tumbler locks.

TOOOL Bumping Guide – Barry Wels, Rop Gonggrijp (Jan 26, 2005) – Excellent, definitive guide on bumping locks

Locks, Safe and Security (aka LSS+) – Marc Weber Tobias, J.D. – $200 from, sounds expensive? No, not in the least. You’re getting 3700 pages of information. It covers everything from ancient Egyptian locks to modern locks. If you want to get into lockpicking, buy this eventually. Doesn’t have to be your first lockpick reference, but you really want this book.

Stores – Pretty good store that sells lots of good stuff. You might save a dollar or two elsewhere, but these folks have never screwed up a single order I’ve placed with them. Very fast delivery and a large selection of product. Search around online, they usually have discount codes. – Bargain brand, but still very functional. I recommend them for folks just starting out. I still use my first picks I got from them. – Peterson, higher price and quality – Southern Specialities Co – Decent quality, decent prices, high shipping costs – Direct sale store for Brockhage Locksmith Tools, sell Brockhage bump hammers, will not

sell bump key sets – Bump key sets

Lockpick set recommendations

If you are new and want to get into lockpicking, do not buy an expensive kit. Please don’t. Buy something simple. I really recommend making a kit by buying individual picks and torsion wrenches. Buy a couple different picks from different manufacturers, buy a whole mess of torsion wrenches, and pick which ones you like. But if you HAVE to buy one, go with either of the following, or the cheapest other kit you can find. I don’t recommend it, mind you, I’m just pointing them out at the least worst alternatives.

Southord PXS-05L – $16.50 – Four picks, one torsion wrench, one book

Southern Specialities BPS-6 – $9.95 – Four picks, one wrench, one book

Read More

Thoughts of Relativistic Travel (or “Why we have never met little green men”)

Very simple. Either life outside of earth doesn’t exist or we’ll only see it if we cheat.

The universe could be filled with tons and tons of planets brimming with life. We very well could live and die as a species without ever knowing. Stars are really far apart. Words can’t accurately described the distance; we make do with scientific notation. You can’t travel at light speed, or a fraction of light speed. Relativistic speed is a Bad Thing. Ignoring time issues, it takes an extraordinarily large amount of energy to get to those speeds. If you can possibly get to those speeds, you will eventually hit something. Doesn’t matter what it is, could be the size of a pea. At relativistic speeds, that’s more or less like running into a small planet or whatnot. But let’s say you COULD go the speed of light, safely. Ok, you could realistically visit a handful of nearby stars with very big starships that were multi-generational. Not a bad solution. But the probable lifespan of humanity would be limited to less a dozen solar systems, none of which could probably be reached in one lifespan. There are not more than a handful of stars within a million light years of earth. A million years is a bit long for any piece of technology to survive. Entropy is just one of those facts of life.

It doesn’t matter if you could go the speed of light, ten times the speed of light or a thousand times the speed of light. You’d be limited to a very, very small corner of the universe. The only way to realistically travel the universe would be near instantaneous travel. It’s not faster than light (FTL), it’s instantaneous or nearly so. Space folding, wormholes, alternative reality hacking, whatnot.

It may be very possible that instantaneous travel across astronomic distances is impossible. Current physics don’t seem to think it’s practical. So when someone acts smug and quotes Fermi paradox, remind them that Fermi was ignoring the distance factor. Same with the Great Silence. A civilization on a distant planet could turn their entire planet into a huge radio and we wouldn’t notice it for millions, hundreds of millions or billions of years. The universe is spreading out at a rapid distance. Each second, most galaxies move a bit further away.

Read More

Video and VOIP Vulnerabilities

We have all seen the bad movies where bad guys intercept a video feed from security cameras and replace the live video stream with a false video stream. This was possible using simple CCTV networks, but not easy with video streaming over large IP networks. Now, it’s relatively trivial.

Most of these can be migrated by using VLAN’s to separate data. Unfortunately, tools exist for VLAN hopping. For VoIP specific applications, voiphopper ( can be used to gain access to Voice VLAN ID by emulating a Cisco, Avaya or Nortel IP phone. Most commonly, it is used to spoof an IP Phone CDP packet and create a new Ethernet port based off the VVID. Once access is granted to the VLAN containing voice or video IP phones, VideoJak (, UCSniff ( or other applications can then be used for interception, man-in-the-middle attacks, replay, or any other desired usage. Increasingly, such tools are rolling VLAN hopping into their functionality for ease of usage.


UCSniff has two modes. Monitoring is of only mild interest as unless the enterprise is using hubs or has SPAN turned on, it is not a serious threat. If an attacker gains access to the switches, however, usage of the tool could be more worrisome. Man-In-The-Middle (MitM) mode is more worrisome. UCSniff works by ARP poisoning the network and re-direct traffic to itself. Unless an enterprise is specifically monitoring for ARP poisoning, the effect is entirely transparent to the user. The most effective hostile deployment is to replace an IP phone with a laptop containing UCSniff. This usually guarantees being on the Voice VLAN and therefore, bypasses any necessity for VLAN hopping. Once on the voice VLAN and in MitM mode, a malicious user can passively intercept, jam, alter, or otherwise manipulate the video streams as they see fit using the tool. One can target a specific user or a specific conversation. UCSniff incorporates automatic VLAN discovery via CDP as well as VLAN hopping capacities.

Another interesting usage of the tool, in a Cisco Unified IP Phone environment, is to collect corporate directories. These directories are very helpful in mapping names to specific devices, and can offer a hostile party a more concise list of targets. This is done through an incorporated tool called ACE, Automated Corporate Enumerator, which mimics the behavior of a phone to acquire all of the necessary personnel information in a very short period of time.

One noticeable method of detention is the cessation of UCSniff without re-ARP’ing the targeted clients. They will all crash. If all IP phones crash at one time without any corresponding server or network issues, a hostile party using ARP poisoning may have disconnected without properly resolving clients back to their original information.


VideoJak is a lightweight tool specifically designed for IP video hijacking or denial of service. Its purpose is to intercept video from a feed, capture a stream, and then replay it on the network. It can also be used to intentionally degrade video IP traffic to varying levels. Very simple and straightforward application, but with problematic implications for IP video surveillance and security systems.

Auxiliary Methods

A cruder but efficient method is to use Wireshark to intercept CDP packets, look for “VOIP VLAN Reply”, and use VLAN hop ( or VOIPHopper to alter one’s assigned VLAN to the corresponding VLAN ID found in the intercepted packets. If a switch is insecurely configured, flooding the CAM tables can make a switch perform like a hub allowing an attacker to intercept additional communication.

Countermeasures for a Cisco environment:

• Turn off CDP if possible

• Do not use default VLAN’s under any circumstances

• Restrict VLAN trunking to strictly the VLAN’s used on that specific switch

• Turn on BPDUguard and rootguard

• Set switchport port-security to prevent CAM table attacks, which may be useful in alleviating ARP poisoning

• Apply a VTP domain password

• Monitor for ARP poisoning

• Isolate corporate phone networks from phones in public spaces

• Follow Cisco’s Phone Hardening guidelines (

• Follow NSA’s Switch Configuration Guide (

Read More

Weaknesses in Electronic Locks

The obvious attack vectors for most locks are the authentication medium. RFID’s are notoriously easy to clone, generally up to 10 meters under practical conditions. Their entire functionality is based off modulated backscatter. A burst of radio frequency is generated, and a portion of it is reflected back at the reading device. This portion is modulated into useful information, usually in the form of a unique number. This unique number is most often tied into a central database for authentication. RFID by itself has absolutely no built in security, which must be provided by an ancillary mechanism. The obvious and most common example of an ancillary authentication mechanism is a personal identification number (PIN) entered into a keypad connected to the RFID reader. Many RFID reader manufacturers offer this as an integrated component.

Unfortunately, ancillary mechanisms are likely not enough to provide adequate security. Most networked building access systems do not use encrypted network traffic, rely on persistent TCP sessions and employ predictable sequence numbering. Most push the applicable data sets down to individual readers, which can be compromised en route. Events are often transmitted back to the central control system, which can allow an intruder to intercept employee traffic. Additionally, in some cases, forged commands can transmitted over the network to lock or unlock doors without the need to know any identification.

No publically known building access system currently encrypts its traffic between the door readers and the control system. This would significantly prevent tampering and would prevent intercepted data. It would also prevent all TCP sequence prediction attacks.

Virtually all modern operating systems use means of avoiding TCP sequence prediction. Many embedded systems, especially building access systems, have not yet resolved this issue. This issue was first significantly documented in April 1989 and many solutions were codified into RFC1948 published in May 1996. Transmission control protocol (TCP) is a protocol that attempts to be reliable and is connection oriented. If a number of TCP packets are received, the sequence number is used to reorder the packets into the correct format. If this sequence is easily guessed, a third party could intercept the traffic and quite easily manipulate both original parties into believing the induced traffic is legitimate. This is known as a “man in the middle” (MITM) attack.

The practical example of attacking a door controller is straight forward.

  1. All door controllers typically have the same first four octets of their MAC address, which can be generally located in vendor documentation or through an internet search.
  2. Once a controller with a matching MAC address is located, poison the ARP cache to redirect traffic through the attacking computer
  3. Use wireshark (or other utility) to monitor packets
  4. Open a packet, observe hex stream payload (which is the open or deny command)
  5. Repeat until confident the payload is an open command. Open commands are significantly more common than deny commands. Statistical analysis should be able to differentiate between an open and deny command relatively quickly. Once this payload is known, this step never has to be repeated.
  6. When you wish to open the door, intercept any packet between the control server and door controller. This does not have to be an open or deny command. It can be a Keep Alive or status transmission sent on a regular basis to monitor for network connectivity.
  7. Use a packet forger, add constant to the sequence bits, and send with hex payload for open.

This command will not be logged by the administrative server, as it is sent directly to the door controller.

Additionally, there have been many other generalized developments in the RFID security field as of late. Of which two are rather significant and worthy of attention. A useful device is scheduled for release at the end of August 2009. The ProxPick, developed by Chris Paget and H4RDW4RE, LLC., offers many useful features for 125-134KHz RFID tags. It can selectively act as a reader, a passive sniffer, play back stored RFID data, or jam a reader. This is more advanced and user friendly than the previous preferred RFID reading tools (primarily ProxMark3 and OpenPCD). This tool was discussed by Chris Paget at the RSA and Defcon conferences. Another interesting development is the development of faraday caged apparel. A company called DIFRwear has made a line of wallets, passport cases, and badge holders that block unwanted RF traffic while the apparel is closed. This was brought to significance by potential and/or alleged security vulnerabilities in RFID enabled credit cards. The products are FIPS 201 certified. Other companies have started developing similar clothing or apparel with built in RF blocking properties.


Migrate all building access devices onto a dedicated network isolated from all other traffic. A less secure solution is to migrate all building access devices to a separate VLAN. An attacker can only cause a “Man in The Middle” attack if they can get physical access to the network. Monitor for MITM attacks and related occurrences such as ARP poisoning, which can be accomplished by most intrusion detection systems.


Picking Electronic Locks using TCP Sequence Prediction – Ricky Lawshae, Defcon 17 presentation

“Security Problems in TCP/IP Protocol Suite” ( – ACM SIGCOMM Computer Communication Review, Vol 19, Issue 2, April 1989

“Defending Against Sequence Number Attacks” ( – RFC# 1948, S. Bellovin (AT&T Research), May 1996

H4RDW4RE ( – Manufacturer of multifunctional ProxPick

OpenPCD ( – RFID development tool

Proxmark ( – RFID development tool

DIFRwear ( – Maker of faraday caged apparel, useful in securing RFID communication.

Read More

Guide to Picking Locks on the Cheap for Beginners

Disclaimer: Don’t do anything stupid or illegal. It’s bad. Besides, if you’re reading this, you’re just starting out. Locks are cheap, and I really prefer to practice on my locks while sitting around my place with beer, wine or a cigar. Only practice on your own locks. It’s a lot more convenient and locks aren’t that expensive. Ask people for old locks they lost the keys to, or ones that use combos they forgot. Snag misc keys the same way. Trust me, they’ll be happy to fork over the worthless junk cluttering up their storage space.

Like most geeks, back in high school I was always poking at stuff to learn about this whole new world thing. Three things caught my attention: computers, locks and books. I was probably one of the few kids to ever get in trouble on a regular basis for reading during class. I’d finish the textbook in a couple days (and generate solutions for all of the problems, early brute forcing skillz) and move onto whatever interested me. My parents were never quite sure if they should be happy or upset at that discipline issue. Anyways, something that caught my eye were the dinky cheap Master locks that everyone was mandated to buy. I noticed that if a student forgot a combination, the facilities folks never cut the padlock off but used a master key to open any lock. That interested and annoyed me. First off, I didn’t like the fact that anyone could open my locker without my knowing, and second, I wanted to know how to that. I “lost” my padlock a couple times, forcing my parents to buy me new ones. (I was a sneaky devil of a child, if you can’t tell.) I disassembled a couple and the rest I experimented on.

Through my experiments, I was horrified to learn the secrets of the padlock. It was… bad. I learned that it’s called a “warded lock”. The lock employs obstructions to block a key. If you get by these obstructions, you open the lock. Snagging a ton of keys from students at the end of the year, I experimented in mutilating the keys to avoid these obstructions. I ended up making my own “master key” that had all bumps shaved down but one. And it opened any Master lock. Now, you can buy “warded key sets” or “warded picks” online for $10. It’s a set of five types of “master keys” that open nearly any warded lock. Horrible friggin security, but they’re cheap and keep honest people honest.

A master key wasn’t very exciting to the average 15 year old. It doesn’t have good presentation value to the ladies and the only slightly more appreciation among the crowd of my peers. So I wanted to find other ways to pick a padlock that looked more difficult and impressive. Eventually I found a way to make a lock think it should be open. I cut up a soda can, forming an M the size of a nickel. I bent the two side pieces back to re-enforce the ‘handle’ and would slip it into the crack between the shackle and the body of the lock. It’d touch the latch holding the shackle closed and spring it open. This is called “shimming”, with the devices called “shims”. Sweet, we’re lockpicking like the movies now!

Pretty impressive, but not good enough. I did some research and found a program for the TI-81 calculator. You’d clear the lock by spinning the dial a bunch of times. Pull on the shackle, it’d bind up on one of the digits. I don’t recall the reset, but I’d punch them into the calculator and it’d give me a list of ten combos. Could be the first, could be the last. So I practiced quite a bit at entering combos. I finally had an impressive (to 15 year olds) act to crack the locks that wasn’t too easy, but not too hard. I got pretty good at the most inefficient means of cracking a Master lock.

Next up, I wanted to learn how most doors worked. Again, easiest way to figure something out when you’re an impatient kid, bash it open with something heavy and figure out how the pieces go together. Come to think of it, that’s still my primary engineering strategy… So I got some door knobs, bashed them open and studied the components. Significantly, significantly different. Much better design. Much harder to crack but shimming still works. Folks think a credit card is handy, but you want something a bit more flexible. Blockbuster card works pretty well, and they’re generally nice about replacing them after you mutilated it. Or you can buy overly expensive flexible metal gizmo’s to do the same task. Whatever works.

Nearly all door locks are pin tumbler locks. You have a cylinder with an opening for the key that rotates to open the lock. Internally, there are a row of pin tumblers. These pins are on springs, and they prevent the cylinder from rotating. They’re usually of different lengths (hence why your keys have all those bumps). Push the pins up a specific amount, and the cylinder freely rotates. These locks can primarily be picked because the pins are of slightly different sizes and tolerances. The lockpicking is essentially turning the cylinder so the pins are jammed between the cylinder and the rest of the assembly. One pin is binding more than the rest. Push that one up, and now it can’t go back down. Find the next pin offering the most resistance, and so forth.

Enough with the boring exposition. Now, onto the exciting part. Let’s pick a lock.

First, what you need to pick a lock. Locate the following.


You need a lock, a multi-tool (buy a decent one), and two paper clips. That’s it. No, seriously.

Find or buy a doorknob. Any will do. Find the nearly cheapest door lock you can find. Unlock it. Look for a hole between the door knob and the part normally touching the door. Move it around until the holes line up. Stick a small screw driver in it. Wiggle around. The doorknob should come off. Now, there should be a notch in the back of the door knob. Stick your screw driver in it, and wiggle off the ring on the back of the doorknob. Now wiggle out the lock cylinder out of the doorknob. Ta’dah!

The lock assembly you are now holding in your hands is a pin tumbler lock, with between five and seven tumblers. That’s a lot for someone just starting out. There should be a block sticking out of the cylinder shaped thing. On top of that block should be a metal cover. We want to remove it. Break out your trusty multi-tool or pliers. Remove the cover. If there are indentations in the top (most likely), you need to pry perpendicular to the angle of that the key is inserted. Watch out, the springs may shoot out. Once you remove the cover plate, use your multi-tool to crush the indentations to being level with the rest of the plate. Now, dump out the contents of the lock. You should get five or six springs, and twice that number of brass pins. One set will be virtually identical. The rest will be slightly longer or shorter. Take ONE of the brass pins from that are virtually identical and drop that one in the first hole closet to the key hole, then drop in one of the variable length brass pins and lastly drop in a spring. Now, slide the cover plate back on. Use your multi-tool to crimp it back into proper shape, but being relatively easy to slide on and off.

We now have a one tumbler lock.

Take two paper clips. Nice mid-sized metal ones. Straight one out into a line, then hold one end into a handle. The other, take the middle loop of metal and bend it out until it is perpendicular to the larger loop, forming an L. Crush the inner loop slightly with your multi-tool. Insert the smaller loop end of the L into the bottom of the lock, away from the pins. Congratulations, you have just made your first lock-pick. It’s a torsion wrench (most often incorrectly called a tension wrench). Your straight line with a handle paper clip is now a “pick”.

Play around with your torsion wrench. You want to make it stick out at a comfy angle. Push on it just slightly with a finger, preferably the same one holding the cylinder. It should also be out of the way so you can freely move your pick.

Here is a way of holding the cylinder and torsion wrench.

Approach 1

And another.

Approach 2

Now, put your lock-pick in the keyhole and probe around inside the lock. Get a feel for the inner dimensions of the lock, without all the pins in it. After you get a feel for the dimensions of the lock, find the tumbler. Put a slight amount of torque/pressure on the torsion wrench and slowly push the pin up. You’ll have to play around a bit with how much torque you’re putting on the lock. You shouldn’t need a lot. You might have to work the pin a few times. When it gets to the right spot, the lock will freely turn. Congratulation, you picked your first lock.

Remove the cover plate from the top of the lock, move the tumbler to another hole. Repeat a bunch of times. It should be pretty easy after the first few tries. Now, let’s make things more complicated. Toss in TWO tumblers. After you apply torque and you start probing the tumblers, you should notice one of the tumblers offers noticeably more resistance. That’s the tumbler with the pin that is binding. Press that tumbler up first. Then press the looser tumbler up secondly. It may now offer more resistance than the previous time you pushed on it, as it’s now the pin that is binding.

Stick with the two tumblers for a while. Move them around between the different openings. After you’re really comfortable, you can start adding more tumblers.

If you’d like an unsolicited suggestion. Don’t buy a “lock picking set”. They’re really overpriced and include lots of stuff you don’t need. Buy a torsion wrench (aka a tension wrench) and a half-diamond pick from any locksmith supply company on the internet. They should be a couple of bucks each. Don’t pay more than roughly $5 for either. You might want to consider buying a couple different variations of the tension wrench and half-diamond pick. You can buy nicer picks later if you really like lockpicking.

Read More