There is a lot to say and write. Lots of interesting things happening. As always. And 2012 will be an interesting year. In many aspects.
Instead of writing an exiting blogposting I wasted some time on making a puzzle. How many lock related terms/names/organizations (etc) can you spot? (click on the image for a bigger version)
Note: there is no hidden message, just a bunch of words. Any foul language you find is purely accidental.
Somehow this exercise reminds me of a trip I took with Han Fey in 2007. Except this time I am with some other people and in a different country. But the idea is the same: first time at an exhibition trying to explore new markets.
I have a good feeling about it. If you are visiting MiliPol be sure to stop by our booth in Hall 1 B093.
The LockCon 2011 announcement It’s about time
The big question always is: how to pack a four of five day event in just one weekend? The answer lies in the (preliminary) LockCon 2011 schedule:
Friday, October 21 2011
Visitors are advised to arrive before 18:00 (if possible). Toool representatives will be present in the hostel from Thursday on, and be available all day to assist visitors and assign them rooms and explain the (simple) rules of the event.
18:00 – 19:00. Dinner will be served. We hope the kitchen stays open till 19:30/19:45 for latecomers.
Friday 20:30 – 21:30 “Masterkeys for a non-masterkeyed system” by Han Fey
Han Fey likes to investigate. On the second hand market he found locks from a facility with180 individual locks. These locks were not masterkeyed. Han did however discover a flaw in the system, allowing a relatively small set of try-out keys to open all the locks. In this presentation he goes into detail how he identified the flaw, narrowed down the keyspace and optimized his attack. Fascinating material.
Saturday, October 22 2011
08:00 – 09:00 Breakfast.
Saturday 09:00 – 14:00 “5 hours, 50 locks, 500 slides” By Peter Field
(Includes Lunch around 12:00)
As many LockCon attendees know, Peter Field has an extraordinary way of looking at locks. Like a pathologist, he cuts locks in many thin slices and captures the result with high quality photography. This unique methods of creating a cutaway view is world renowned. With it he has set a standard many people tried to copy but only very few can even get close.
We are proud and honored to have Peter over for yet another long presentation about the different elements in high security cylinder lock design. Combining his unique cut-away imagery with illustrations from old patents, he will explain how engineers classify the cylinder elements, modify them, develop new ones, and re-combine them all to invent new products for the constantly evolving security market. You will leave this presentation with an outline and a clear understanding of the design constraints and functions of most of the various elements you may find in any lock cylinder.
About Peter Field: he started locksmithing in 1960, and in 1978 was asked to join Medeco Security Locks, where he is now Director of Research. He has over 15 US Patents pertaining to high security locks, with several more patents pending. Being a employee of Medeco one thing is clear: Mr. Field will not discuss any opening techniques. As he told us in previous years: “I am here to talk about locks. How to open them is up to you ….”.
15:00 – 15:45 “State of the art locks in the Stasi era” by Oliver Diederichsen
Oliver Diederichsen managed to get his hands on some unique material: complete Stasi manuals of the department responsible for covert entry operations. Many of the techniques and tools can still be converted to work on modern locks. Oliver will highlight one part of the files that talks about the state of the art in locks around the late eighties, and how far the stasi got in bypassing them.
16:00 – 17:00 “Magnetic locks and how to defeat them” by Datagram
Datagram is a well known expert in the field of lock forensics, but also does lots of other interesting research. Magnetic locks are still considered amongst the most high-secure locks. And in some cases rightfully so. During his presentation Datagram will show what progress he made on bypassing some of these magnetic locks, and demonstrate his custom made opening and decoding tool.
17:15 – 18:00 “Impressioning Abloy Classic” by Jaakko Fagerlund
Jaakko Fagerlund is a big fan of Abloy locks and knows a lot about them. And of course he is interested how to tackle the system/ Together with Jord Knaap they improved on Barry Wels his ‘reduced contact area‘ impressioning technique for disc-locks. They found a way to get better marks and make the process more easy, and share their findings in this workshop.
18:00-19:00 dinner
20:00 – 23:00 Impressioning championships.
Impressioning is the fine art of opening a lock by filing a key from a blank. It is an ancient technique that still works on an amazing number of (high security) locks. The championships speak for themselves: who will be the fastest filing a working key to a lock his year? The impressioning championships will be played by the new rules. Meaning 45 people start with impressioning the same lock, and the first six people to open the lock will move on to the finals. Abus reserved some old stock just for these games and donated the C83 cylinders and blanks again this year. Thank you Abus!
Sunday October 23
08:00 – 09:30 Breakfast.
10:00 – 11:00 “Fichet F3D lock analysis” by Michael Huebler
The Fichet F3D lock is one of the most intriguing locks that came out in a long time. Not easy to get, quite expensive and contains many, many parts. The innner working of the lock also is quite interesting and unique. Michael will take you trough the lock step by step, and there will be an interesting discussion on how this lock maybe could be bypassed.
11:30 – 15:30 Dutch Open lockpick championships.
We are not going to play the one-on-one, and ‘winner takes all” that we did last year. It will be fair and balanced how we do it, and it will allow for many small picking contests against a direct opponent. In these games two people will be playing against each other, and the one with the most locks opened, or the fastest time if the same amount of locks are opened, will go trough to the next round. If the two contestants do not manage to open any of the locks they are both out of the game. In case we have an odd number of contestants, there will be three people competing against each other and the fastest two go trough. The last man standing wins!
There always is question about the selection of locks that will be used in the game. The brands will be kept secret, but we will try to arrange just two types of locks and make sure one of these locks is ‘relatively simple’ to open by an experienced picker. The locks used will be ‘standard’ five or six pin locks (so no dimple locks or special high security locks in the finals).
16:00 honoring the LockCon champs
17:00 Early dinner for those who need to travel
More information on how to register for LockCon2011 can be found here.
Expect this posting to change a little in the days to come.
Just a quick reminder: Lockon 2011 will take place in the weekend of October 21-23.
The location is the good old Sneek hostel, and the rules are more or less the same as last year(s). I expect to come out with more news on LockCon around Monday September 12.
We are still looking for people who want to give a presentation (although we already have quite some excellent talks scheduled).
Places are limited, so if you would like to come now would be a good time to let us know.
Hope to see you all there!
It is time to come out with my new company: lock-experts.com
Over the years I have been being hired by some of the most serious players in the lock industry. Normally for things like training, presentations, workshops, education, plain advice, R&D, special toolmaking and more. It is work I love to do, and with the help of some friends I am going to expand it.
More about lock-experts.com soon. I hope the website is up before visiting Aloa …
(small update 19/07/11 : created a PGP key)
Jos Weyers got another notch on his guitar. He won the German impressioning championships in Hamburg yesterday. For those who know Jos this will not come as a surprise. And right after Jos came Arthur Meister. Arthur is as steady as Jos, just a fraction slower. And after six locks this adds up.
Jord Knaap turned out to be the surprise. Before this weekend he barely impressioned a lock, but after an evening of practice with the ‘meisters’ he managed to get into the finals and open all six locks. Scoring a solid third place!
Impressioning heavyweights Oliver Diederichsen and Dr. Manfred Bölker became fourth and fifth.
There was a time it was unthinkable to have a non-German people win these games, let alone the top three contain two Duchies ;)
I knew I was not likely to end in the top three in this competition (due to lack of training) and scored a sixth place.
Thanks everybody for a great weekend!
Just a quick post before going to Hamburg for the German impressioning championships.
We have a date for LockCon! It is going to happen the weekend of October 22-23, and already some interesting speakers have promised to give a presentation! The location most likely is going to be the good old hostel in Sneek, but if other options (in the Netherlands) come up we might be persuaded.
Hope to see you all there!
Frank brought this nice little key-duplicating robot to my attention. The ‘minuteKey’ seems like a great idea! (check their site or see the FAQ for the limitations)
I am not sure how wise it is to have your home keys scanned and analyzed by a robot and then identify yourself to it by paying with a credit-card (no cash payment possible). On top of that it needs your e-mail address in order to mail you a receipt. The first thing that comes to mind is that all this data quickly turns into a pretty interesting database, especially if the minuteKey becomes popular and widespread.
Interesting times we live in …
As you can see on the image above I am doing fine. The image is a picture made by Dutch Panorama Magazine a couple of weeks ago at the Amsterdam Toool meeting. Panorama interviewed me and wrote a pretty nice article about me.
One of the topics covered in the article is the flood of professional lock-related work I do at the moment. It is one of the reasons blackbag has not been updated for some time. Just too busy traveling, preparing courses, trainings, paid R&D and even work in the field of lock-forensics. When I say forensics it is not always answering the question if a particular technique was used to open a specific lock, it can also be in a role of expert witness to explain (or show) a particular lock can be opened quickly in court. I hope to follow up on the specific incident mentioned in Panorama when the case is final.
Next week we will be at ‘Hack In The Box’ in Amsterdam (may 19 and 20). We will have the Amsterdam Toool meeting on Wednesday (May 18) in our traditional hangout (the Kamers cafe/restaurant), and might later in the evening move to the prestigious Krasnapolsky Hotel at Dam square in Amsterdam to set up the booth. Thursday and Friday we will be at the Hotel for sure. If you want to learn about IT security and hobby-lockpicking, “Hack in the Box” is the place to be. I can offer a special discount if you want to attend “Hack in the Box”, so mail me for details.
One of the other courses we are preparing is for the blackhat sessions at DefCon (July 30-31). A two day hands on impressioning and safe-combo-manipulation course. Gonna be quite nice.
Still have a lot of work to do before I can announce LockCon 2011 …
Scott Buckey mailed me the following on my little challenge to see what you could make out of two scrambled audio messages. Not a 100% score, but good enough if an unknown message went trough the air. And I believe the attack can be optimized some more (giving better audio quality).
–
@ Scott:
It’s a rolling code inversion scrambler that changes inversion point approximately every 3 seconds.
On the recording the first 3 second ‘frame’ is missing, sorry :(
[Start]
[Start of first frame] Cryptomuseum test tape [End of first frame] -Decoded at 3.729Khz
[Start of second frame] of the Icom Analog *broken; ‘Public?’* Scrambler [End of second frame] – Decoded at 4.441Khz
[Start of third frame] by saying some random numbers related to *broken; the ?* radio [End of third frame] – Decoded at 3.940Khz
[Start of forth frame] *broken; Five? or Niner ?* Five Four Seven [End of forth frame] – Decoded at 3.120Khz
[Start of fifth frame] *broken; Five ? or One? * Six *eight A ? *[End of fifth frame] – Decoded at 2.000Khz
[Start of sixth frame] one four six [End of fifth frame] – Decoded at 3.067Khz
[Start of seventh frame] two seven *broken; nine? or five?*[End of seventh frame] – Decoded at 4.352Khz
[Start of eighth frame] *broken; Something? or simply?* like this (bleeps) [End of eighth frame] – Decoded at 4.263Khz
[Start of ninth frame] (Bleeps) *Broken; and? or TION?* [End of Ninth frame] – Decoded at 4.263Khz
[Start of tenth frame] (Bleeps) End of test [End of tenth frame] – Decoded at 3.023Khz
[End]
–
He also mailed me the following audio sample. If you compare it to the original descrambled wav file there still is a big difference, but still I take my hat off for Scott.
Koos thought the first sample was recorded over a trunked network, but that is not the case. The ‘bursts’ in the sample are used for synchronization in the (slow) rolling code.
The reason you hear me count and whistle in the samples is because it is a quick and easy way of testing the effectiveness of analog scramblers. Listening to the whistles in the scrambled output will give you a pretty good idea if the scrambling is static, repetitive and what the possible scrambling technique and change rate is. And it is always interesting to see how many numbers you can identify ‘by ear’ on these kind of systems.
The descrambled audio of the second file can be found here.
The blackbag banner says: locks, encryption and the RF spectrum. These two last topics did not get much attention yet. It is not that I do not have a lot to tell about it, it’s just that locks take up all of my time and interest at the moment. That is why I decided to donate a big part of my encryption device collection to the (virtual) crypto museum. Just take a look on their site, it is really a great place that will give you an idea about the radio side of things of the field I am interested in, and that are the foundations of my work for GSMK Cryptophone.
I know the people behind cryptomuseum.com from some time ago. They are the same that asked me to make a working key for an enigma some time ago at a Toool meeting. What is real funny is that twelve years ago I had the same idea, and even registered the cryptomuseum.com domain for a couple of years. But hey, then I got so involved with locks and lockpicking that I decided to put my focus on that. But before that I was quite serious about is, and even made some audio samples of encrypted and decrypted radio scramblers. For now I will only post two samples of these analog scrambling devices. If you listen carefully to these samples, you might be able to get some words, or even part of a sentence. You can post your guesses (or decrypted wav’s) in the comments. I will post the ‘decrypted’ audio in a couple of days from now.
It has been a while since I added a category to blackbag, but now there is a new one called “cut to pieces”, and it is greatly inspired by the work of Peter Field.
On the “cut to pieces” image I share with you today is the inner working of the Mottura C38 lock. It is nice lock, that contains many nice features. Today I cover the magnetic pin. The pins in one of the chambers are not spring loaded, and gravity pulls the plug pin below sheer line. If the magnet in the key is at the right position, and has the right polarity, the magnetic pin in the house is pulled towards the key, also lifting the housing pin.
I hope the image(s) speaks for itself. (click on the image for a bigger version)
I am currently making quite a nice collection of images of various locking systems for my presentations and workshops. I will try to share some of the work here to keep you posted on what I am doing …
2011 will bring some interesting papers on advanced locks. Both Michael Huebler and Han Fey are working on articles on some unique locks. Han’s article will be about the latest lock from Assa, the d12.
In my previous posting I asked what two locks had in common. I will now give you the answer. The bottom lock is the famous ‘seven pin’ ASSA 700 lock, and contains some extremely nasty anti-pick pins. In short: if you tension the lock and lift a few pins, the lock will ‘freeze’. Once a pin is locked between the core and the house you can only move it again after (almost?) fully releasing tension. We learned this seven pin lock was developed and produced already over a period of 50 years (!), and is still a very common ‘medium security’ lock in Sweden.
And they call it medium security. Sure, if you compare the seven pin version to locks like the Assa Twin system (pdf) (like Twin Combi and DP) there is still a huge difference between them. But I dare to call the design of the 700 high security anyway.
The top image from my previous posting shows the new ‘medium security lock’ by Assa. It is a new design to replace the Assa 700 lock and it is called the d12. So that is what they have in common.
Han’s preview of the d12 article already covers twenty pages(!). Here is some basic info about this amazing new lock. The pin has two tips, and there can be an offset between the left and right contact points. This gives very interesting properties for masterkey-systems. To prevent the pins from twisting, they are equipped with little wings that fall into a slot in the channel of the core. And the wings also make some of the pins ‘float’, so a ’999′ key will not make contact with all pins. If you look at the image, you can see the fifth pin is much longer and is being operated by a lower portion of the key. And if you manage to get your picktool inserted, the lock has the same anti-pick properties as the 700 series. You will have to be patient for Han’s article to read all the ins- and outs of this system, but I can just say it is neat to see groundbreaking new technology like this enter the market.
And last but not least: there was a small error in Han’s image in my previous post. Pin six was not positioned correct (as Michael Huebler pointed out in the comments). Below is the correct image.
To be continued (somewhere in 2011) …
Really, I think highly of you. And Han and I are just curious if people know the relationship between these two locks shown below, and how long it will take before the correct answer is given in the comments. After Christmas I will come back with the answer here anyway.
Han and I get more and more work as expert witnesses in court cases and in lock-forensics these days. It is one of the reasons we invest a lot in Macro Photography.
It seems more criminals are using clever opening techniques to break into places, and in the Netherlands not many people have the expertise to be able to show what happened. News about this kind of ‘burglaries without a trace’ cases even make it to the front page of Dutch newspapers.
The article was about the ‘Twente case’. Dutch Police in Twente (.NL) arrested a twenty-five year old male on November 4th. A witness gave the police a description of a person who most likely broke a window at a shop at the Heutinkstraat in Enschede. Police noticed a person on a bicycle who matched the description, but the man tried to escape when they approached him. After a short chase the man was arrested, and the first official report (mirror) about this incident mentioned the man possessed ‘burglary tools’.
A later report (mirror) stated the man was taken into custody and his house was searched. At his house a lot of stolen goods were discovered, as well as a ‘large amount of cash’. Police soon discovered the man used manual lockpicking to break into houses. His territory was a range of houses of elderly people at the Marthastraat and C.F. Klaarstraat in Enschede. So far he confessed thirteen burglaries committed over an 18 months period. He mostly went out at night and used a lockpick set to gain entry. As police stated, the man ‘worked very clean’, and in some of the cases the owners of the house never even realized they had been burglarized! He managed to take away expensive goods, silver and cash without leaving a trace. To make things worse, he even used the burglarized houses for mail order fraud. He successfully mail ordered gold and expensive goods without the owners of the houses knowing.
According to police spokeswoman Chantal Westerhoff, the burglar had ‘very sensitive fingers’. She said “Lockpicking is a special trade, and not a lot of people can do what this guy did”.
After his confession, and showing lots of remorse, the man was released from custody. He will soon have to account for his behavior in court. I hope I can find out what day the court case is, and I will try to follow up on the story. Any information on the case is welcome, so feel free to mail me if you know more about it.
* Note December 2: I received additional information about the case. The trial will be held in February 2011 (no date set yet). And it is going to generate a lot of media attention as there are some very interesting angles to the story.
