Copy Link
Add to Bookmark
Report
INFORMATIK Volume 1 Issue 5
+=============================================================================+
| ## ## ## ###### ###### ###### ### ### ###### ###### ## ## ## |
| ## ### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## |
| ## ## ### ##### ## ## ###### ## ## ###### ## ## #### |
| ## ## ## ## ###### ## ## ## ## ## ## ## ## ## ## |
+=============================================##==============================+
| Oct 31, 1992|
| [ The Journal of Privileged Information ] |
| |
+-----------------------------------------------------------------------------+
| Issue 05 By: 'Above the Law' |
+-----------------------------------------------------------------------------+
| |
|Informatik--Bringing you all the information you should know... |
| and a lot you shouldn't... |
| |
+=============================================================================+
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
*DISCLAIMER*
Informatik Journal is printed for informational purposes only. We
do not recommend or condone any illegal or fraudulent application of
the information found in this electronic magazine. As such, we
accept no liability for any criminal or civil disputes arising from
said information.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
===========================================
============== - CONTENTS - ===============
================ Issue 05 =================
======= Release date Oct 31, 1992 ========
===========================================
01) Issue #5 Introduction
By: Informatik Staff
02) X-Mas Con 1992 Announcement
By: DrunkFux
04) Locks and Physical Security
By: Sterling
05) USSS Frequency Guide
By: Miles Barkman
06) Cellular Update
By: The US Congress
07) The HP3000's 'SECURITY/3000' system (part 3)
By: Sterling
08) Informatik Submission & Subscription Policy
By: Informatik Staff
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/* Introduction */
Happy Halloween and welcome to the 5th issue of the Informatik
Journal. Though still suffering the slings and arrows of higher
education, we have again managed to crank out an issue. Unfortunately we
are still having a very poor response to our call for submissions. Come
on! Contribute it. Even if you aren't an expert, we can all benefit from
a little research on your part. Just head on out to the local library,
find something interesting, and research it into a nice, informative
article. We welcome information on the government, radio, computer
hacking, preaking, and anything else of interest to the "computer
underground" crowd. Even if you are not a writer, we welcome any feedback
you may have concerning informatik. Speaking of which, WE HAVE MOVED
SHOP! Thanks to our pals in Pittsburgh, we now have a new home:
(inform@grind.cheme.cmu.edu) All subscription requests, feedback, etc,
should be sent to that address. The old address is no longer valid, so
any correspondance to our previous address has long since entered the
cyber void.
The bulk of this issue (135k!!) is devoted to an article on Security
Devices that is the most complete guide to locks, lockpicking, and
security systems available to date. It should prove interesting to you
all. In other news XMAS CON IS COMING! The whole staff of Informatik
will be there, as will plenty of other interesting characters. Be there,
its always interesting. Radio scanners need to check out the new
collection of Secret Services frequencies and information on the latest,
greatest cellular interception restrictions. And wrapping it up, we have
the third and final part our series on The HP3000's 'SECURITY/3000' system.
We've been asked to pass along that a bbs has been set up on 128.2.55.27
for those of you with internet access. Simply logon as bbs.
Informatik staff currently consists of Sterling, and MackHammer
(between naps), with additional assistance provided by Live0ne and
Holistic. If you are interested in working with the staff, drop us a
line.
Enjoy,
Informatik Staff
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[Updated Announcement - October 27, 1992]
dFx International Digest and cDc - Cult Of The Dead Cow proudly present :
The Third Annual
X M A S C O N
AKA
H 0 H 0 C O N
"WE KAN'T BE ST0PPED!"
Who: All Hackers, Journalists, Security Personnel, Federal Agents,
Lawyers, Authors and Other Interested Parties.
Where: Allen Park Inn
2121 Allen Parkway
Houston, Texas 77019
U.S.A.
Tel: (800) 231-6310
Hou: (713) 521-9321
Fax: (713) 521-9321, Ext. 350
When: Friday December 18 through Sunday December 20, 1992
HoJo's Says NoNo To HoHo
~~~~~~~~~~~~~~~~~~~~~~~~
HAY!^@!*%!$1#&! We beat our own record! This year, thanks to one
certain person's complete stupidity and ignorance, we managed to get
kicked out of our first chosen hotel four months in advance. Needless
to say, this caused some serious confusion for those who called to
make reservations and were told the conference had been canceled.
Well ... it hasn't been. The story is long, but if you wish to read
exactly what happened, check out CuD 4.45.
The conference dates are still the same, but the hotel has changed
since what was originally reported in the first update, which made
it's way throughout Usenet and numerous other places, including CuD
4.40. If you haven't heard about the new location, please make a note
of the information listed above.
What Exactly Is HoHoCon?
~~~~~~~~~~~~~~~~~~~~~~~~
HoHoCon is something you have to experience to truly understand. It is
the largest annual gathering of those in, related to, or wishing to
know more about the computer underground (or those just looking for
another excuse to party). Attendees generally include some of the most
notable members of the "hacking/telecom" community, journalists,
authors, security professionals, lawyers, and a host of others. Last
year's speakers ranged from Bruce Sterling to Chris Goggans and Scot
Chasin of Comsec/LoD. The conference is also one of the very few that
is completely open to the public and we encourage anyone who is
interested to attend.
Or, as Jim Thomas put it in CuD 4.45:
"For the past few years, a conference called "XmasCon" (or HoHoCon)
has been held in Texas in December. As reported previously (CuD
#4.40), it will be held again this year from 18-21 December. For those
unfamiliar with it, XmasCon is a national meeting of curious computer
aficionados, journalists, scholars, computer professionals, and
others, who meet for three days and do what people do at other
conferences: Discuss common interests and relax."
Hotel Information
~~~~~~~~~~~~~~~~~
The Allen Park Inn is located along Buffalo Bayou and is approximately
three minutes away from downtown Houston. The HoHoCon group room rates
are $49.00 plus tax (15%) per night, your choice of either single or
double. As usual, when making reservations you will need to tell the
hotel you are with the HoHoCon Conference to receive the group rate.
Unlike our previously chosen joke of a hotel, the Allen Park Inn is
not situated next to an airport and this may cause a small
inconvenience for those of you who will be flying to the conference.
The hotel is centrally located so you can fly in to either
Intercontinental or Hobby airport but we are recommending Hobby as it
is 15 miles closer and much easier to get to from the hotel. Here's
where it may get a little confusing:
If you arrive at Hobby, you will need to take the Downtown Hyatt
Airport Shuttle to the Hyatt, which departs every 30 minutes and will
cost you $6.00. When you get to the Hyatt, get out of the shuttle with
your luggage (for those who may not of figured that out yet) and use
any of the nearby payphones to call the Allen Park Inn (521-9321) and
tell them you need a ride. It's just like calling Mom when you need a
ride home from glee club! The hotel shuttle will be around shortly to
pick you up and take you to the aforementioned elite meeting place,
and that ride is free. If all this is too much for you, you can always
take a cab directly to the hotel which will run you about $20.
If you arrive at Intercontinental, you will need to board the Airport
Express bus and take it to the Downtown Hyatt ($9). Once there, just
follow the same instructions listed above.
We are in the process of trying to get the hotel to provide constant
airport transportation during the conference, but they've yet to give
us a definite answer. It is quite possible that we will have our own
shuttle to bus people between the airports and hotel, so if you'd
prefer a faster and more direct method of transportation, it would be
helpful to mail and let us know what time you'll be arriving and at
what airport. This will give us a chance to coordinate things more
efficiently.
Check-in is 3:00 p.m. and check-out is 12:00 noon. Earlier check-in is
available if there are unoccupied rooms ready. Free local calls are
provided, so bring dem 'puterz. I don't know if cable is free also, so
those who wish to rekindle the memories of yesteryear may want to
bring their screwdrivers. The hotel has both 24 hour room service, and
a 24 hour restaurant, The Nashville Room. Call it a wacky coincidence,
but the hotel bar is called the ATI room and like most of Houston's
similar establishments, closes at 2 a.m. Good thing Tony still works
at Spec's ...
This time around, the hotel is placing the conference guests in the
rooms surrounding the courtyard/pool area. We are once again
encouraging people to make their reservations as soon as possible for
two reasons -- first, we were told that if you wait too long and the
courtyard rooms are all taken, there is a chance that you'll be
situated at the complete opposite end of the hotel, which isn't so bad
if you don't mind walking all that way back and forth outside in
December. Secondly, there is no other hotel exactly next door to this
one (the closest is about five minutes away or so), so if for some odd
reason all the rooms get rented, you'll get to do some nifty traveling
every night.
Directions
~~~~~~~~~~
For those of you who will be driving to the conference, the following
is a list of directions on how to get to the hotel from most of
Houston's major freeways that bring traffic in from out of town:
I-45 North or South: Exit Allen Parkway on the inside (left side) of
the freeway. Take the Studemont/Montrose exit off Allen Parkway, then
make a u-turn at the bridge and head back towards downtown. The hotel
will be on the right hand side.
290: Take 290 to 610 South, then take I-10 East towards downtown. Exit
Studemont. Right on Studemont, left on Allen Parkway. The hotel will
be on the right hand side.
I-10 West: Exit Studemont. Right on Studemont, left on Allen Parkway.
The hotel will be on the right hand side.
I-10 East: Take I-10 East to I-45 South and follow the same directions
from I-45 listed above.
I-59 North or South: Take I-59 to I-45 North and follow the same
directions from I-45 listed above.
Call the hotel if these aren't complete enough or if you need
additional information.
Conference Details
~~~~~~~~~~~~~~~~~~
HoHoCon will last three days, with the actual conference being held on
Saturday, December 19 in the Hermitage Room, starting at 11:00 a.m.
and continuing until 5 p.m. or earlier depending on the number of
speakers.
We are still in the planning stages at the moment, primarily due to
time lost in finding a new hotel and getting contracts signed. We have
a number of speakers confirmed (yes, Goggans will be speaking again)
and will try to finalize the list and include it in the next update.
We are definitely still looking for people to speak and welcome
diverse topics (except for "The wonders and joys of ANSI, and how it
changed my life"). If you're interested in rattling away, please
contact us as soon as possible and let us know who you are, who you
represent (if anyone), the topic you wish to speak on, a rough
estimate of how long you will need, and whether or not you will be
needing any audio-visual aids.
We would like to have people bring interesting items and videos again
this year. If you have anything you think people would enjoy having
the chance to see, please let us know ahead of time, and tell us if
you will need any help getting it to the conference. If all else
fails, just bring it to the con and give it to us when you arrive. We
will also include a list of items and videos that will be present in a
future update.
If anyone requires any additional information, needs to ask any
questions, wants to RSVP, or would like to be added to the mailing
list to receive the HoHoCon updates, you may mail us at:
dfx@nuchat.sccsi.com
drunkfux@freeside.com
drunkfux@ashpool.freeside.com
359@7354 (WWIV Net)
or via sluggo mail at:
Freeside Data Network
Attn: HoHoCon/dFx
11504 Hughes Road
Suite 124
Houston, Texas
77089
We also have a VMB which includes all the conference information and
is probably the fastest way to get updated reports. The number is:
713-866-4884
You may also download any of the conference announcements and related
materials by calling 713-492-2783 and using the username "unix", which
is unpassworded. The files will be in the "hohocon" directory. Type
"biscuit" if you wish to gain an account on the system. You can find
us there too.
Conference information and updates will most likely also be found in
most computer underground related publications, including CuD,
Informatik, NIA, Mondo 2000, 2600, Phrack, World View, etc. We
completely encourage people to use, reprint, and distribute any
information in this file.
Stupid Ending Statement To Make Us Look Good
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HoHoCon '92 will be a priceless learning experience for professionals
(yeah, right) and gives journalists a chance to gather information and
ideas direct from the source. It is also one of the very few times
when all the members of the computer underground can come together for
a realistic purpose. We urge people not to miss out on an event of
this caliber, which doesn't happen very often. If you've ever wanted
to meet some of the most famous people from the hacking community,
this may be your one and only chance. Don't wait to read about it in
all the magazines and then wish you had been there, make your plans to
attend now! Be a part of what we hope to be our largest and greatest
conference ever.
Remember, to make your reservations, call (800) 231-6310 and tell them
you're with HoHoCon.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
*********************************************
*********************************************
** **
* Locks and Physical Security Devices *
* *
* by Sterling *
** **
*********************************************
*********************************************
Introduction
------------
Ever since man has had something worth keeping, he has devised ways to
protect it. The Egyptians were the first to develop a working lock of any
complexity. It was based on a flat, wooden "key" with a series of raised pins
that enable the user to slide back a wooden bolt that protected the door from
entry. Advances in metallurgy eventually brought forth locks of iron.
As locks became more complex, the great medieval locksmiths' guilds
carefully guarded their secrets. Restrictions forbid the guild's members from
discussing the relatively simple inner workings of locks for fear of losing
their power. By protecting their secrets, the locksmiths were able to exploit
their unique skills, charging outlandish sums for their services.
The same principles apply today. That is why a locksmith can charge you
$60 to come and unlock the door to your house. Americans spend millions each
year on security systems to protect their property. Often this money is wasted
on devices that really provide only limited protection. In this text I would
like to expose how locks and security systems work, and how you can bypass them
if needed.
It is easy to lose faith in the common door lock once you understand its
simple operation. It took me less than a week with my lock picks before I
could open my front door. Any first timer can open a desk or filing cabinet
after achieving a basic understanding of the principles of modern locks.
Hopefully this article will expose to more people just how unsecure locks can
be, and with practice you should be able to pick your way into your house
should the need arise.
The content of the article comes from a wide variety of sources. Personal
experience, excerpts and summaries from the "alt.locksmithing" newsgroup, and
from locksmithing and lockpicking books. Special thanks goes out to *Hobbit*
for his simplex and hotel lock articles.
There are several types of locks that you are likely to encounter. These
locks are easy to spot and identify what you know what to look for. Here I
will discuss everything from the seldom used "warded lock" to alarm systems.
Table of Contents:
------------------
Key Operated Locks
Latches
The Warded Lock
The Lever Lock
The Wafer (Disc) Tumbler Lock
The Pin Tumbler Lock
Tubular Cylinder Locks
Lockpicking Tools
The Basic Picks
Making Your Own Picks
Purchasing Picks
Attitude and Tips for Success
Other Security Devices
Combination Locks
Magnetic Locks
Simplex Locks
Automotive Protection Systems
The Marlock System
VingCard Locks
Electronic Hotel Card Locks
Alarm Systems
Type of Latches
~~~~~~~~~~~~~~~
The latch is a spring bolt that actually holds the door shut. This is in
contrast to the deadbolt, that had NO spring, and must be manually engaged.
There are two primary types of latches, the springlatch and the deadlatch.
The springlatch is much more convenient, when the door is shut, the
springlatch springs into place, locking the door shut. This is the type of
latch found on most key-in-knob type door locks. The problem with the
springlatch is that it is easily defeated by sliding a plastic card or thin
knife and forcing it back. To prevent this, a latch guard can be installed.
This is a device constructed from heavy steel folded lengthwise at a ninety
degree angle or a T-bar shape. It is usually anywhere from six to twelve
inches in length and is fastened to the edge of the door by bolts. The latch
guard hides the latchbolt, and prevents any tampering with it.
The deadlatch cannot be shoved open like the unprotected springlatch can.
When the door is closed, the latch bolt is secure in the lock position and acts
as a deadbolt (a bolt that is not spring loaded, and resists any end pressure).
The deadlatch resembles a smaller, beveled bolt projecting from the latchbolt.
On some designs, the deadlatch takes the shape of an additional bolt, somewhat
smaller, and usually placed higher up on the lock body. A key or interior
locking mechanism must be used to engage the deadlatch and lock the door.
The Warded Lock
~~~~~~~~~~~~~~~
The warded lock's basic design was created by the ancient Romans. The
basic principle behind its operation is a series of "wards" (projecting
obstructions) that prevent all but the proper cut key from being rotated inside
the lock. These obstructions have been placed in the path of the turning of
the bit portion of the key. This type of lock utilizes a key that has been
notched in a way that it clears all the wards, but is still able to turn the
bolt. These locks are easy to recognize. They are the "classic" antique lock
that you may still find in old houses.
_______ blade (stem) ##### handle (bow)
/ \ ########
| | ################################# ##
\ / ################################# ##
| | #### ### ########
/ \ #### ### #####
/ \ ####
/ \ bit a warded key for a two-ward lock
/___________\
warded key lock entrance
The number of wards in the lock can vary, but normally two is the minimum.
When a user inserts a key into the warded lock, the metal obstructions inside
the lock allow only the proper key to be inserted. The key bittings allow the
key to turn in a circular motion, opening the lock through one of four
different mechanisms:
1) The key lifts a detent lever while throwing the bolt, providing
deadbolt action. (Deadbolt action means that the bolt is secure
against end pressure.)
2) The key moves a bolt whose locked or unlocked position is maintained
by the action of a humped flat spring in two notches on the bolt.
3) The key moves directly against the latch tail of a latchbolt, or does
so through the action of a floating lever.
4) The key inserts between two springs and wedges them apart as it is
turned. (Usually only in warded padlocks)
Picking
These locks offer only token security to the user. Besides being easy to
circumvent, the warded locks offers only about fifty alternate keying
combinations. Picking them is generally regarded as trivial. All that is
required is to bypass the wards and move the bolt into the unlocked position.
This can be accomplished by using a pick known as a "buttonhook". To make your
own buttonhook pick, use a pair of pliers to bend a six inch section of coat
hanger into a warded key shape as below:
########
### ##
################################# ##
# ## ##
### ## #
#####
The wire should be thin enough to pass into the keyway while avoiding all
the wards, but stiff enough that it can still manipulate the bolt to open the
lock. Though you may have to make a "large" and a "small" warded lock pick,
the same principle applies.
The Lever Lock
~~~~~~~~~~~~~~
Robert Barron invented the lever lock in 1778. This constituted a
considerable improvement over the ancient warded lock. It was based on a
series of several "levers" that must each be raised to their own set height.
If a particular lever was lifted to high or not enough, then the lock would not
open. When the proper key is inserted, the notches on the key raise all the
lever tumblers the required distance, lining up all the gates, allowing the
lock to be opened. Not only was this new lock much harder to pick, it offered
up to ten billion possible keying combinations. (The amount of practical
combinations is actually around fifty thousand)
#####
__ #######
/ \ ## ### #### ## ########### ##
\ / ###### ####### ########### ##
| | a lever or "lever tumbler" ########################### ##
| | lock keyhole #######
|__| ####
a lever tumbler lock key
Since its design the lever tumbler lock has undergone numerous
improvements. One of the is called the parautopic lock. The parautopic lock
consisted of two sets of lever tumbler, where the first worked on the second.
It also proved a plate that turned with the key so that one could not inspect
the locks interior construction. Lever locks, though limited in use, can still
be found today in some hospitals, suitcases, cabinets, fine furniture, and
attache cases. Lever locks are also used on safe-deposit boxes, often with
fifteen or more levers and sometimes requiring two keys.
Picking
Lever locks are a little harder to pick then the wafer and pin tumbler
variety. In fact, the type of lever locks used on safe-deposit boxes are very
difficult to pick indeed. To pick a lever lock requires that tension be placed
against the deadbolt throughout the course of lifting one or more levers within
the lock to the required alignment with the post. This requires the use of a
"lever lock tension wrench" and a "hook" or "lifter" pick. [Picks are
discussed later in the Lockpicking Tools section.]
Insert the lever lock tension wrench (a bit different than a normal
tension wrench) into the keyway, and exert torsional pressure. The long bit is
the part you hold, the next bend runs to the bottom of the lock, and the final
bend fits into the notch in the bolt. Unlike most other types of locks, the
lever locks requires you to exert considerable pressure on the tension wrench
while picking. Usually the lever springs provide enough force to cause the
levers to drop back down once picked. Because of the greater pressure, lever
locks may require a slightly thicker tension wrench then normal.
Then insert the hook pick all the way into the lock. Locate the back
lever and raise it gently until you FEEL or HEAR a slight "click". With the
lever locks, the force required to push against the spring is substantially
more than in other locks. Once it reaches the correct position, the gate will
align with the post, and you should notice a slight "give" in the deadbolt, as
there is now one less lever obstructing the lock from opening. You should note
that once a lever has been picked, the amount of force required to lift that
lever will be substantially less.
Move on to the next lever by slightly withdrawing the pick and repeat the
process. Each subsequent lever will require the use of slightly less tension
then on the previous ones. Otherwise the increased tension could cause the
lock to bind up.
Once you have picked each individual lever, the lock should open. If it
does not, then reinsert the pick (always maintaining tension with your wrench)
and jiggle each lever slightly to ensure correct alignment.
Each lever does not require very much lift. This is due to the fact that
the maximum depth of the cut under any tumbler is no more than half the width
of the key, and never more than two-thirds its width. You should therefore use
a pick that does not have too much "hook" to it.
The Wafer Tumbler Lock
~~~~~~~~~~~~~~~~~~~~~~
The wafer tumbler lock was developed as a low-cost lock that offered a
reasonable degree of security to the owner. These locks are make up over
one-fourth of all the locks in the world. The outside of the lock resembles
the pin tumbler lock (yet to be discussed), but uses a much simpler mechanism.
Wafer keyways usually have simple side ward indentions. The key is usually
shorter than that of other locks, but equally broad. It may be cut on one or
both sides. A two sided wafer lock is often called a "double wafer." The lock
consists of four main parts. The plug housing, which contains the wafers and
springs, the shell, the cam (locking bolt), and the retainer. The wafers are
sometimes referred to as "discs" because their top and bottom are rounded to
fit into the cylinder. Here is a diagram:
5
___ 7 | ___
||############## 1-> @| _ |_
## ||## ## ## ## ## @||2||/
6##||##4##3##2##1## <-keyway @||_||
## ||## ## ## ## ## \|___|
___||############## 3
|
\plug/ detail of a wafer tumbler
cutaway side view 1) spring
of a wafer lock 2) key slot
3) spring wing
1-4) spacings #1-4
5) cam (operates the bolt)
6) retainer (rear plug)
7) the shell (body of the lock)
Each lock has a series of chambers in which the wafers rest. These
spacing closest to the front of the lock is numbered with one, and their
numbers increase toward the back of the lock. Picture a number of the wafers
placed face-to-face in the plug's spacing chambers. Each wafer is equal in
overall size, but the key slots are of varying height. A metal spring exerts
pressure on the spring wing of each wafer, forcing its lower part into the
shell's "locking grooves" which lets the lower portion hang about midway into
the keyway. Looking into the lock, you should be able to see this. These
wafers act to hold the plug and shell together, preventing the lock from
turning.
When the correct key is inserted, it goes through the key slots on each
wafer, raising the wafers out of the locking groove. The key must have the
appropriate depth of cut in each position to raise the wafer the correct
amount. The depth of the key's cut (and the length of the wafer's key slot) is
any one of five different depths. The shorter the top edge of the wafer's key
slot, the lower the key cut depth value. For instance the number 1 slot (the
slot that is the largest) would require the shallowest cut in the key.
Normally lock manufacturers place a number four or five wafer near the keyhole
to block the view of the back wafers. Also note that the same type of wafer
may appear several times in the same lock.
Above some brands of wafer tumbler lock you will see a small hole. When
the lock has been unlocked, you can remove the entire lock plug by inserting a
piece of stiff wire into this hole and depressing the retainer. Though nowhere
near as secure as the pin tumbler lock, the wafer tumbler is a very popular,
low cost lock. The lock is normally found on cheaper cabinets and desks, some
padlocks, some automobile locks, locking handles, and trailer doors. Where
more security is desired, the double wafer type is used, providing wafers on
the top and bottom of the keyway.
Picking
Though harder to pick then the warded lock, the wafer lock is still easy
to circumvent. This is an excellent lock to practice on because the techniques
required to pick it are applicable to the pin tumbler lock as well. Like the
lever lock, picking the wafer tumbler lock requires use of a tension wrench and
a pick. A variety of the different picks can be used including the rake, the
hook, the half-diamond, and the half-round pick. Selection depends on the size
of the lock, the distance between each wafer, and personal preference.
Raking
One of the most common methods of picking the wafer tumbler lock is by
raking. To rake the lock, insert the tension wrench is inserted just inside
the keyway, stopping short of the first wafer, and flush with the bottom of the
keyway. Apply moderate tension to the wrench. If you apply too much tension
the wafers will bind and not be able to move into alignment. Once you have the
tension wrench in place, insert either the rake or half-round pick into the
keyway. Don't worry about feeling the tumblers, instead concentrate on
applying uniform pressure to them as you move the rake in and out of the keyway
in a scrubbing motion. This scrubbing motion should cause the wafers to lift
into alignment as they are thrown up and down in their spacings. This method
is usually quite effective on most wafer locks, and should always be tried
first.
Manipulating Individual Wafers
If the lock does not respond to raking, you can try using the half-diamond
pick to each wafer into alignment one-by-one. While maintaining light but
consistent pressure with the tension wrench, use the pick to lift each wafer
into alignment at the shear line, starting from the backmost tumbler. Once it
reaches the proper alignment, you should feel or hear a slight "click" and the
plug will turn ever so slightly, relieving a bit of pressure on the wrench.
Continue one-by-one, working outward, until each tumbler has been aligned and
the lock opens.
Vibration Picking
Often you can use a technique called vibration picking to open a wafer
tumbler lock. This uses a tool known as a "snapper" pick or a "lockpick gun".
[These are described in the Lockpicking Tools section of this article] To use
the snapper pick maintain a light tension with the wrench and insert the tip of
the pick into the keyway, just touching the bottom of the tumblers. Then use
the thumb, which rests along the top edge of the pick to depress the top loop.
Let the thumb slide off the compressed part of the pick, permitting it to snap
back. It will then strike a light blow to the tumblers, popping them up until
they are held in place at the shear line. Repeated snaps, while maintaining
tension with the wrench, usually results in aligning all the tumblers, and thus
opening the lock. The lockpick gun works automatically, with a trigger device
that "snaps" its wire pick up in the keyway.
Picking Double Wafer Locks
Double Wafer locks are picked the same way as single wafer locks, but
there two sides to the story. Not only must you align all the top wafers, but
the bottom ones as well. You can purchase special designed tension wrenches
with will let you then use a ball pick to pick both sets of wafers.
Alternatively you can use a standard tension wrench in the center of the
keyway, using a half diamond pick. Once you have picked one set, simply
reverse the pick and pick the other. It may take a few tries before you are
able to hold all the wafers in place.
The Pin Tumbler Lock
~~~~~~~~~~~~~~~~~~~~
Pin tumbler locks are by far the most popular lock today. Over half of
the locks in use are of the pin tumbler type. They look similar to the wafer
tumbler lock, but can easy be distinguished by their round pins, visible in the
keyhole. There operation is also similar to the wafer type, but is more costly
and requires much stricter machining tolerances. Here are some diagrams:
|
|
|
|________________________________________
| | @ | | @ | | @ | | @ | | @ |
| | @ | | @ | | @ | | @ | | @ | Tumbler springs
| | @ | | @ | | @ | | @ | | @ |
| | @ | 4 | @ | | @ | | @ | | @ |
| | @ | ||~|| | @ | ||~|| ||~||
|___||~||___|| ||___||~||___|| ||___|| ||__ _ _ _ _ _ _Shearline
\_ ||1|| 3 || || || || || || || | |
\_|| ||___||~||___|| ||___||~||___||~| |
|~| | | |~| | | | | |
keyway |2| | | | | | | | | | Plug
|_| |_| |_| |_| |_| |
+-----------------------------------------+
|
|
|
|
The pin tumbler lock, cutaway side view (locked)
1) top pin
2) bottom pin
3) cylinder (top of plug)
4) shell
|
|
|
|________________________________________
| | @ | | @ | | @ | | @ | | @ |
| | @ | | @ | | @ | | @ | | @ | Tumbler springs
| | @ | | @ | | @ | | @ | | @ |
| || || 4 || || || || || || || ||
| ||1|| || || || || || || || ||
|___|| ||_ _|| ||___|| ||___|| ||___|| ||__ _ _ _ _ _ _Shearline
\_ ||~|| 3 ||~|| ||~|| ||~|| ||~| |
\_||2||___|| ||___|| ||___|| ||___|| | |
| | |_| | | | | |
keyway |_| |_| |_| | Plug
|
+-----------------------------------------+
|
|
|
|
The pin tumbler lock, cutaway side view (unlocked)
1) top pin (drivers)
2) bottom pin (key pins)
3) cylinder (top of plug)
4) shell
___________________ ___________________
_/ @ \_ _/ @ \_
/ @ 3 \ / @ 3 \
| @ | | | | |
| | | | | |2| |
| ____|2|____ | | ____|_|____ |
| / |_| \ | | / | | \ |
| | _| |_ 4 | | | | _|1|_ 4 | |
| | / |1| \ | | | | / |_| \ | |
| | | |_| | | | | | | | | |
| | | | | | | | | | | |
| | | 5 | | | | | | 5 | | |
| | \_____/ | | | | \_____/ | |
| | 6 | | | | 6 | |
| \___________/ | | \___________/ |
| 7 | | 7 |
\_ _/ \_ _/
\___________________/ \___________________/
Locked Unlocked
Pin Tumbler Lock (front) Pin Tumbler Lock (front)
1) bottom pin (key pins)
2) top pin (drivers)
3) tumbler spring
4) shear line
5) keyway
6) plug (cylinder)
7) shell
OK, I will explain how the pin tumbler lock works, but you really should
consider going to K-Mart and buying a cheap lock to take apart and study. In
the lock's shell (main body) there is the keyway and three to eight (usually
five) spacings drilled from the top of the lock into the keyway. This is
similar in principle to the wafer lock. In each of theses spacings are two
pins and a spring. The top pins are always the same length, while each bottom
pins can each be any of ten different sizes (0-9). Note that the bottom pins
have a rounded bottom, allowing for them to ride up the key easier. The spring
forces the pin stack down so that the lower pin protrudes into the keyway.
(The wedge slot keeps them from falling all the way to the bottom of the
keyway) When the correct key is inserted, each pin stack is lifted according to
how deep or shallow the key is cut in that corresponding location. To open the
lock, the top of bottom pin (the point where the top and bottom pin meet) must
line up with the lock plug and the shell (the shearline). When in this
position, the lock is unlocked and the plug can rotate around, taking the
bottom pin around with it. If any pin is raised too high, or not high enough,
then that pin keeps the plug from turning inside the lock shell. Of course in
the locked position, all the pins stop the plug from turning.
These locks are used almost everywhere. The provide over a million
possible combinations for a five pin lock, and billions for the eight pin.
These are the standard door locks in most residential and commercial buildings.
Often you will find pin tumbler locks with only three pins on cheap desks, some
copy machines, and storage lockers. They offer a reasonable degree of
security, but are far from tamper proof.
Picking
Picking the pin tumbler lock is based on the principle that slight
imperfections exist in every lock. Every lock is machined to certain sets of
tolerances, such as plus or minus .0002 inches. The closer the tolerance, the
harder the lock is to pick, but the more expensive the machining costs. That
is what makes one pin tumbler lock harder to pick than another. This variation
in the lock's components means that in attempting to turn the plug in the lock
without the proper key, one tumbler will be caught up and become tight before
subsequent tumblers are. Therefore, when turning tension is applied to the
plug with a tension wrench, and the tight tumbler is lifted with a pick, there
will be either a clicking feel or a sudden relief in the tension the tumbler
exerts on the pick. This relief of tension occurs when the pin is brought up
even with the shear line. At this time, lifting can be stopped.
Use a hook pick to lift each pin to its breaking point, starting with the
pin that is bound (resisting) the tightest. Gently pry the pin up against the
spring pressure until it breaks at the shear line. Care must be taken not to
lift the pin too high, or it may become jammed in the upper chamber. It is
often impossible to get this pin back down without releasing tension on the
plug.
A common problem is applying too much tension. A light touch should be
used because too much pressure on the wrench not only makes it hard to feel any
change in torsional pressure, but tends to bind all the pins, making picking
order difficult to determine. The tension wrench needs only to provide a
little torque so that the pins stay up once picked.
Raking and Vibration picking
You can also use the raking and vibration picking methods described in the
section on wafer tumbler locks to pick pin tumblers. You can even use a
combination of raking and pin picking. Simply rake the pins a few times, and
then go back and pick any pins that the rake missed. You can use the hook pick
to probe each pin. If the pin feels "springy" then it has not yet broke at the
shear line.
Another technique: Start picking at the back pin, the one furthest away
from you as you face the keyway. The reason for this is relatively simple.
The rear pin will be the last worn, and when you break it, the lock's plug will
move the most it ever will for just one pin breaking. This will make it easier
to pick the other pins, as the break between the inner and outer cylinders will
be progressively held tight against the pin you are working, as you work the
lock from rear to front. The reason the rear pin is least worn is that
inserting a key "rakes" the pins up and down, wearing down their sides. The
rear pin is raked only once per time the key is inserted, the pin in front of
it is raked twice, and so on. Its not uncommon to see locks in which the front
pin can not be picked before the rear ones. The reason was that it was worn
down to the point that no amount of torsion would cause the inner plug to put
any force against it. Consequently, it won't break.
Rapping
Sometimes you can use a form of vibration picking known as rapping to open
a pin tumbler lock. A tension wrench is inserted into the keyway, and light to
moderate tension is applied. At the same time, the face of the plug is struck
sharply with a plastic mallet or hammer handle. The rapping forces the springs
and pins to gravitate toward the force of the blows. Hopefully this vibrates
the picks into their breaking positions. DO NOT HIT TOO HARD! Approach this
method with caution.
Practicing
To learn how to pick pin tumbler locks, it is best to go to the store and
buy a "practice" lock. Try to find either a KwikSet brand or a cheap Ilco lock
cylinder. On top of the lock shell is a little sliding strip that covers the
pin spacings. Carefully slide it out. you can then take out the spring, the
top pin, and the bottom pin. Remove all but one the assemblies and replace the
cover. Now you can practice on picking the lock with only one pin. When you
become good at that, insert another stack of pins, and so on until you can pick
the lock with all five pins in place.
Spool Pins
It is possible that in the course of picking a high security pin tumbler
locks, the plug will turn a bit as if it were going to unlock, then stop. I
will turn no more than 2 or 3 degrees around. This means you have encountered
a spool pin. These are simply drivers, or key pins, or both that have had
their center portions cut down to a smaller diameter.
______
|_ _|
| | | | Lock body Note that any torsion applied to the
___| | | |____ cylinder will tend to catch the spooled
||____|| pins at their waists instead of at the
| ____ | Cylinder break between the pins. This will
||_ _|| either prevent the pick from pushing
| | | | the pin up if the top spool is caught,
| | | | or it will prevent the pin from falling
___|| ||____ down, if the bottom spool is caught.
| |
\__/ Keyway
spool pins
With a hook pick, you'll be able to press up on each pin and feel the
difference. When you have a spool pin caught across the shear line, gentle
upward pressure will result in force in the opposite direction of the way
you're turning. Determine which pins are spool pins and push up until the
bottom of the pin (assuming it's a top pin) crosses the shear line. You might
lose some previously picked pins, but just pick them again.
Interlocking Pins
Several manufacturers have designed high security locks involving angled
and interlocking pins. Emhart makes a cylinder using angled cuts on the keys
where the top and bottom pins actually interlock:
+--------------+
| |
| Top |
| Pin |
| |
| | Interlocking Pins
+-----+ +-----+
+---+ | | +---+
| | | | | |
| +-+ | | +-+ |
| | +-+ +-+ | |
| | | | | |
| | +------+ | |
| +----------+ |
| |
| Bottom |
| Pin |
So the pins have to be turned to the correct angle in order for the pins
to slide apart when you turn the plug. This also means that the cylinder has
to be grooved to allow for the portion of the top pin sticking down, and the
bottom of each key has notches in it so that it can turn more than 180 degrees.
Tubular Cylinder Locks
~~~~~~~~~~~~~~~~~~~~~~
Tubular cylinder locks are widely accepted as the most secure locks you
can get for a reasonable price. Tubular cylinder locks are the round type
locks you find on most vending machines, ATMs, and the like. They are
basically a pin tumbler lock where the pins are arranged on a circular plane.
The key is a cylinder with cuts around its perimeter. When the key is
inserted, each pin (whose faces are visible) is pushed in the corresponding
depth and the plug can be turned.
Picking
Your best bet for picking these locks is to purchase a specially designed
tubular cylinder pick. While it can be picked with conventional tools, it
takes forever because you have to pick it three or four times to turn the plug
the 120 to 180 degrees needed to unlock it. And what's worse is that the
cylinder locks after each time you pick it -- every one-seventh of a turn! If
you want to try it, here's how.
If you don't have a tubular cylinder pick you will require a wrench that
is .062 inches square on its end. Fit this into the groove of the tubular
cylinder plug. Apply tension in a clockwise direction, then use a straight pin
to push each pin down until it clicks into place. Proceed to the next pin,
until all are picked and the plug turns a few degrees. You will have to repeat
this until it unlocks. Do not leave the locks halfway picked. If you do, even
the original key will not be able to open the lock until it has been picked
back into its original position. Good Luck!
Lock Picking Tools
~~~~~~~~~~~~~~~~~~
The Basic Picks
|
_______________________________________|
tension wrench
This is the standard tool for pin and wafer tumbler
locks. It is inserted in the bottom of the keyway
to provide a torsional force to the lock cylinder.
______________________________________/|
half-diamond pick
The half-diamond pick can be used for raking or
picking wafer tumbler locks, or picking pin tumbler
locks where the distance between pins is small.
---------------------------------\/\/\/\
rake
Not surprisingly, the rake (sometimes called a snake
pick) is used to rake wafer and pin tumbler locks.
.
______________________________________/
hook
The hook (also known as the feeler or lifter pick)
is normally used for picking pin and lever tumbler
locks, but can be used on larger wafer locks.
______________________________________O
O ball
_____________________________________OO
OO double ball
The ball type picks are actually not as pronounced
as they look here in the ascii diagram. Imagine a
"ball" of a little less height, a bit more width.
Though not essential, the ball picks can be used
when attempting to rake a wafer-tumbler lock.
Lever Tumbler Tension Wrench
The big difference with a lever tumbler is in the method of applying
torque. The cylinder, in models where it's visible, rotates freely--it does
not operate the bolt. Rather, the end of the key goes into a notch in the
bolt, directly operating it, just as in a warded lock. This means you need a
different torsion wrench, that looks like this:
_______
|
|
|
|
|
|
|
|
|__________________
Obtaining Lockpicks
Now I'm sure that you are ready to start practicing. Unfortunately,
locksmiths and the public in general seem reluctant to make picks an easy item
to obtain. Therefore you can either make your own, (not that difficult) or
obtain them from a commercial supplier (also not that difficult.)
Making Your Own Picks
You can file or grind picks out of spring steel. It is best to use spring
steel - sources include hacksaw blades, piano (music) wire, clock springs,
streetsweeper bristles (which can be found along the street after the sweeper
has passed), etc. Or, go down to the auto parts store and buy a few stock
lengths of .022 in. automobile feeler gauge. You can cut each one in thirds
and make a pick from each piece. In a pinch safety pin steel, or even a bobby
pin (much worse) can be used. Also try the metal band that holds a set of
walkman type earphones together. It is already the perfect width and all you
have to do is grind the indentations on it. It makes a really great heavy duty
wrench also.
You will need an electric grinder, or a grinding wheel mounted on a drill,
to shape the picks. When grinding, keep the steel from getting so hot as to
anneal (soften) it. You may have to re-harden or re-temper it.
Temper the steel by repeatedly getting it red-hot against the grinder,
then quenching it. What you get won't be feeler gauge and it won't be spring
steel, but something in between that has some give to it and won't shatter.
For a tension wrench, while you're at the grinder, take a medium-sized
Allen wrench and grind its hexagonal head into a flat blade. Alternatively,
you can use a small screwdriver, bent at the end. (Bending a screwdriver with
any precision is pretty tough). Bobby pins also make an alright tension
wrench, especially the larger ones. They work best if you cut them off and
flame to red hot with a burner. Then while it's still hot twist it 180 deg
with a pair of vicegrips or needle nose pliers, and bend down the end so it
looks like the professional ones, this gives it more 'spring'. The flaming
should be done, maybe 3/4ths of an inch from the end. Finally file and sand
rough spots from where you cut it.
If you take the finest or next to finest crochet hook they make and file
down the sides of the business end of it so it will fit in the lock, you can
make an excellent feeler pick.
Picks from Paper Clips
To open a lock with two paper clips, unbend one like this:
____________
/ \ This shape is your lockpick, you
\__________________________/ put the end with the little hook
in the lock and use it to fiddle
with the pins.
Unbend and re-bend the other paperclip like this:
____________
/ \ This shape is your torsion
\______________________ wrench. You use it to put
| torque on the lock cylinder.
_| When the hook is in the cylinder
the handle should hand off to
the side and the final bend on
the hook should be short enough
that there is room to get the
pick into the keyhole.
Warning: Filing cabinets and desks are pretty easy to do with these, but
it's not easy to do a door lock with them. Better materials really do help
when you're dealing with more than 4 pins in a lock.
Making a Pick Gun
Get yourself a piece of music wire from the local hobby shop. Find wire
that seems just a bit big for an average keyway. This will be ground down
later so that it can be inserted. Wire of this diameter is so stiff you may
doubt that you have the right size. But you need this stiffness for the device
to work. Don't use wire that is too light.
You want to bend a circle in the wire about 5 inches back from the end.
You want enough length in the first straight part to go all the way into the
keyway and leave enough to comfortably fit in your hand. Call this straight
part Side A. Try bending the wire around the body of a Magic Marker; this
seems to make a nice sized loop. The loop should be 360 + 180 degrees so that
the long end of your wire is now parallel to side A. Let's be original and
call this Side B.
Use pliers to make a 90 degree bend in side B so that the end of it
crosses side A. This bend should be located so that the part of side A which
extends past the bent part of the wire is long enough to go all the way into
the keyway. Hey, why don't we call this cross-piece Side C? Bend this
cross-piece 180 degrees around side A so that it forms a slot for side A to
slide up and down in. Call the wire segment which goes from A to B and is
parallel to C, Side D. Snip off the end of side D which extends beyond side B.
We now have an object which resembles a safety pin (hence the name) which
has one side (side A) which slides up and down in a slot made by sides C and D
and which is held in the bottom of this slot by the spring tension in the loop
between sides A and B.
Grind the sides of the piece which is to go in the keyway so it will fit.
Grind the top of this piece flat. The Top is the side toward side B. This is
the part which will be against the tumblers. Bevel the end so it will slide
under the tumblers more easily.
To use the gun, insert the end into the keyway with side B up. Press down
on side B with your thumb to slide the slot C-D down. Let your thumb slip off
the wire and the spring will pull side B back up. When the bottom of the C-D
channel hits the bottom of side A, it delivers a sharp blow to the bottoms of
the pins. Use VERY light pressure on the tension wrench and snap the gun a few
times to knock the pins up to the shear line. See the section on wafer locks
for a more information.
Electric Vibration Picks
The motor/base casing from a electric toothbrush, or vibrator makes a
decent vibrator pick (pick gun) when you superglue a straight pick to it. Alot
cheaper than the pro models, and generally smaller too.
Purchasing Your Picks
Generally picks are not sold over the counter. Your best bet is to order
them from a mail order firm. Most firms will inquire as to your profession
when making a purchase. They may not wish to sell them to you unless you are
some sort of pubic safety personnel such as an EMT or a fireman. They are
available from a variety of sources. Here are some of the most popular:
----------
Gall's Inc.
(800)-477-7766
Catalog #BA
----------
Item # : ALS15B
Price : $19.99
Name : 10-Piece Locksmith Pick Set
"Be prepared for any lock-out. Nine picks and wrenches are grouped in a handy
foldover carrying case that is small enough to carry in your pocket. Order you
lock pick set and keep it handy for easy entry to any lock-out situation.
Black."
Item # : PG1B
Price : $59.99
Name : Lock Pick Gun
"Our trigger action lock pick gun opens doors easily. Just use it with the
included picks and instructions -- with a little practice, you can smoothly
open any locked house or apartment."
----------
Delta Press Ltd.
(800)-852-4445
----------
Item # : LPS-002
Price : $24.95
Name : The 8 Piece Tool Set
"These high quality picks feature new lighter non-breakable plastic color coded
handles. Picks are of .022 blue spring steel - hardened to perfection Eight
piece set comes with handy see-through case."
Item # : LPS-003
Price : $39.95
Name : The 11 Piece Tool Set
"This deluxe 11 piece kit features all metal handles and comes in a discrete
carrying case for undercover operatives. All picks are .022 blue spring steel
and hardened to perfection."
Item # : LPS-005
Price : $119.95
Name : The 60 Piece Tool Set
"Here it is. The finest lockpick set we've stocked. It includes 60 picks,
tension wrenches, and a broken key extractor plus a zippered top grain cowhide
case and warded master keys."
Item # : LPS-004
Price : $59.95
Name : Professional Locksmithing Tool
"The famous lockaid Tool was designed for law enforcement agencies to quickly
pick pin tumbler locks. The american-made product is the only superior "lock
gun" available. Unlike conventional hand picks that activate only one or two
cylinder pins, this tool is designed to span all the pins at once. The needle,
powered by trigger action, strikes all t the cylinder bottom pins
simultaneously. As the force is transferred to the upper pins, they
momentarily rise in the chambers. Comes complete with 3 stainless steel
needles and tension wrench."
----------
Phoenix Systems Inc.
(303)-277-0305
----------
"OUR LOCK PICKS ARE THE FINEST QUALITY PROFESSIONAL TOOLS AVAILABLE. Each pick
is made of hard-finished clock-spring steel, tempered to the correct degree of
hardness. Whether the subject is wafer tumbler locks or 6 & 7 pin tumbler
locks, our picks are the best available, and the standard of the industry.
With a few minutes of practice, even a beginner can open most padlocks, door
locks and deadbolts. NOTE: BE SURE TO CHECK YOUR LOCAL, AND STATE ORDINANCES
GOVERNING POSSESSION OF THESE TOOLS."
Item # : 604
Price : $75.00
Name : Superior Pick Set
"Hip pocket size in top grain leather case. Our most complete set. 32 picks,
tension tools & extractors."
Item # : 606
Price : $34.95
Name : Tyro Pick Set.
"An excellent choice for the beginner. Cowhide leather case contains 9 picks,
tension wrenches & key extractor."
Item # : 607
Price : 9.95
Name : Warded Padlock Pick Set
"This 5 piece padlock pick set is made of the finest blue tempered spring
steel. This set will pick open most every warded padlock made today."
Item # : 610
Price : $24.95
Name : Double Sided Tumbler Lock Picks
"Set of 4 picks for use with double-sided, disc tumbler, showcase, cam and
PADLOCKS. An excellent addition to your other pick sets."
Item # : 617
Price : $39.95
Name : Padlock Shim Picks
"Open padlocks in seconds! Our new Padlock Shim pick's unique design makes
them so successful that it is frightening! Simply slide the shim dow
n between
the shackle and the lock housing, twist and the lock is open. Works best on
laminated type padlocks (the most popular type) but will open ALMOST ANY TYPE
OF PADLOCK -- INCLUDING THE POPULAR 3 NUMBER COMBINATION TYPE. Include 20
shims -- 5 each of the 4 most common shackle diameters for perfect fit every
time. Comes with complete instructions."
Item # : 618
Price : $34.95
Name : Schlage Wafer Pick Set
"There are two types of Schlage wafer locks, each needing a different base key
to pick with. This set comes with both types of base keys and the pick. With
the proper base key the lock is already half picked. Very quick and easy to
use. Comes with complete instructions.
Item # : 620
Price : $59.95
Name : Pick Gun
"Picks locks FAST. Open locks in less than 5 seconds. Specifically designed
for tumbler locks. Insert pick into key slot, then just pull trigger. Throws
all pins into position at one time. Lock is then turned with tension bar.
Used extensively by police and other government agencies. Gun is spring
loaded, with tension adjustment knob. Comes with 3 needle picks and tension
bar. No batteries necessary. Life-time guarantee.
Item # : 612
Price : $16.00
Name : The Slim Jim
"Car door opener. The tool does not enter inside the car. Opens a car door by
"feel" rather then sight. With a little practice, car opening will be no
problem. For GM, Ford and Chrysler cars. Made of clock-spring steel and is
hand finished."
Item # : 613
Price : $16.00
Name : The Super Jim
"This tool will open most GM, Ford and AMC car doors. Opener does not enter
vehicle. Made wider and thicker, and is bright nickel plated. Faster openings
on most domestic automobiles. With illustrated instructions."
Item # : 614
Price : $19.95
Name : Houdini Car Door Opener
"The latest and best innovations on car door openers. It works the same as
your old Slim Jim, except it now folds neatly to fit in pocket or toolbox
without getting in the way. ONLY 6 1/2 INCHES LONG WHEN FOLDED. Open up and
snaps into place like a fold-up ruler, excellent stainless steel constructions
with vinyl handle for comfort."
Item # : 615
Price : $39.95
Name : Pro-Lok "Car Killer" Kit
"Over the years we have had thousands of requests for a multi-vehicle opening
kit. We are now able to offer the most complete kit that we have ever seen.
This kit of tools will open over 135 automobiles, both domestic and foreign, on
the road today. The opening procedure for each vehicle is diagrammed and
explained in the instruction manual. Kit comes with complete instruction
manual and gas cap pick tool."
Item # : 600
Price : $129.95
Name : Tubular Lock Pick
"This tool is an easy and reliable method for picking tubular locks, as found
on commercial vending machines, washers, dryers, etc. This newest high tech
design is much faster and easier to use than the old type that used rubber
bands to hold the feeler picks. Internal neoprene "O" rings together with
knurled collar provide a very simple and easy tension adjustment. Sturdy
stainless steel construction provides for long-lasting service. This tool
will, with a little practice, easily and quickly open any regular center-spaced
tubular lock -- the most popular type of tubular lock on the market. Comes
with complete instructions and leather carrying case."
Tips for Success
~~~~~~~~~~~~~~~~
Following is information that will help you become more adept at
manipulating locks. Solutions to common problems and general miscellaneous
information that could prove useful is included.
Determining the Direction of Rotation
Before you can pick a tumbler type lock, you must determine the correct
direction of rotation. It may sound like a trivial point, but who wants to
waste hours trying to pick a lock the wrong direction. Though there will of
course be exceptions, there are some general guidelines. Cylindrical locks,
padlocks, file cabinet locks almost always turn in a clockwise direction or
either direction to open. When confronted with a door lock, turn the plug so
that the top of the keyhole turns toward the edge of the door. There is a
notable exception here, Corbin and Russwin locks turn AWAY from the door edge.
Tight or Dirty Locks
If a lock seems exceptionally tight or dirty, it will be hard to break the
pins. It may help to lubricate the lock. NEVER use a liquid type lubrication
such as WD40, 3-in-1 oil, etc... Use powdered graphite, available in most
hardware stores. It comes in a little tube, allowing a light squeeze to blow a
puff of graphite into the keyway. If lubrication does not help, you may need
to apply a little firmer hand on the tension wrench.
Proper Attitude
It is very important to maintain a confident attitude while you are
learning to pick locks. If you feel nervous or stressed, it will only
make things harder. You will not be able to pick every lock you come to,
but with practice and patience, you may be surprised. Visualise what is
happening inside the lock, this is the key. If you don't fully
understand how a lock works and exactly what you are doing to it, you will
not experience a high degree of success.
Combination Locks
~~~~~~~~~~~~~~~~~
Combination locks work on a series of flat, round disks that have notches
and pegs (one of each, one set per disk) along their circumference. Notches
are referred to as "gates". The first tumbler determines the last digit of the
combination, and is actually attached to the dial directly. As the dial is
turned, the peg of the first tumbler catches on the middle tumbler's peg,
dragging it along. As the dial is turned further, the middle tumbler latches
on to the peg of the last tumbler, all three turning together. Turning all the
tumblers is known as "clearing" the lock, and must be done before attempting to
operate the lock. For the lock to open, the gate on each disk must align up
with the pawl (breaking arm) of the bolt.
Dialing the first digit of the combination aligns the last tumbler's gate
to the pawl. Before dialing the second digit, the dial must be turned one
complete turn in the opposite direction (assuming a three tumbler lock, twice
for a four digit one). Rotating in the original direction to the last digit
will align the first tumbler's gate, and the lock can open. Modern safe
combination locks are impossible to crack (literally). Many innovations have
given high quality locks this degree of security. Burglars learned to feel the
gates and pegs rotate about the lock, allowing them to manipulate the tumblers
into their proper position. To combat this, a searted front tumbler was
designed to create shallow "false gates". The false gates are difficult to
distinguish from the actual gates. To combat this problem, safe crackers would
hook up a high speed drill to the dial. This would wear the tumblers edges
smooth, eliminating the bothersome shallow gates. Still, despite their
security, cheap combination locks are far from foolproof.
Determining an Unknown Combination
The most common and difficult to open of these small disk tumbler locks
are the Master combination padlocks, and they are quite popular. With
practice, they CAN be opened. The newer the lock is, though, the more
difficult it will be to open at first. If the lock has had a lot of use, such
as that on a locker-room door where the shackle gets pulled down and encounters
the tumblers while the combination is being dialed, the serrated front tumblers
will become smoothed down, allowing easier sensing of the tumblers. So, until
you have become good at opening these locks, practice extensively on an old
one. Here's how.
Step One
First, clear the tumblers by engaging all of them. This is done by
turning the dial clockwise (sometimes these locks open more easily starting in
the opposite direction) three to four times. Now bring your ear close to the
lock and gently press the bottom back edge to the bony area just forward of
your ear canal opening so that vibrations can be heard and felt. Slowly turn
the dial in the opposite direction. As you turn, you will hear a very light
click as each tumbler is picked up by the previous tumbler. This is the sound
of the pickup pegs on each disk as they engage each other. Clear the tumblers
again in a clockwise manner and proceed to step two.
Step Two
After you have cleared the tumblers, apply an upward pressure on the
shackle of the padlock. Keeping your ear on the lock, try to hear the tumblers
as they rub across the pawl; keep the dial rotating in a clockwise direction.
You will hear two types of clicks, each with a subtle difference in pitch.
The shallow, higher pitched clicks are the sound of the false gates on the
first disk tumbler. Do not let them fool you-the real gates sound hollow and
empty, almost nonexistent.
When you feel a greater than normal relief in the shackle once every full
turn, this is the gate of the first tumbler (last number dialed). This tumbler
is connected directly to the dial as mentioned earlier. Ignore that sound for
now. When you have aligned the other two tumblers, the last tumbler's sound
will be drowned out by the sound of the shackle popping open.
Step Three
While continuing in a clockwise direction with the dial, listen carefully
for the slight hollow sound of either one of the first two tumblers. Note on
the dial face where these sounds are by either memorizing them or writing them
down. Make certain that you do not take note of the driving tumbler (last
number dialed). If you hear and feel only one hollow click (sounds like
"dumpf"), chances are that the first number could be the same as the last one.
You should have two numbers now. Let us say one of them is 12 and the
other is 26. Clear the tumblers again just to be safe and stop at the number
12. Go counterclockwise one complete turn from 12. Continue until there is
another "dumpf" sound. After the complete turn pass 12, if you feel and hear a
louder than normal sound of a tumbler rubbing on the pawl, the first tumbler is
properly aligned and the second tumbler is taking the brunt of the force from
the shackle-you are on the right track. When the second tumbler has aligned in
this case, you will feel a definite resistance with the last turn of the dial
going clockwise. The final turn will automatically open the shackle of the
lock. If none of these symptoms are evident, try starting with the number of
the combination, 26, in the same way.
Step Four
If the lock still does not open, don't give up. Try searching for a
different first number. Give it a good thirty or forty minute try. If you
play with it long enough, it will eventually open. The more practice you have
under your belt, the quicker you will be able to open these padlocks in the
future.
Using a stethoscope to increase audibility of the clicks is not out of the
question when working on disk tumbler locks, though usually not needed for
padlocks. A miniature wide-audio-range electronic stethoscope with a magnetic
base for coupling a piezoelectric-type microphone is ideal for getting to know
the tumblers better.
Sesame Locks
Another type of disk tumbler padlock is the Sesame lock made by the Corbin
Lock Co. Its unique design makes it more difficult to open than Master
padlocks, but it can be opened. Let's take one of the three or four wheel
mechanisms, look at a cross section, and see how it works. The wheel has
numbers from zero to nine. Attached to the wheel is a small cam. Both the
wheel and cam turn on the shaft. Each wheel in this lock operates indepen-
dently with its own cam and shaft. The locking dog is locked to the shackle.
In this position the shackle cannot be opened. The locking dog operates with
all three or four wheels. The locking dog is riding on the round edge of the
cam. The spring is pushing up on the cam. The locking dog cannot move up
because it is resting on the round part of the cam. When the wheel is turned
to the proper combination number, the locking dog rests on the flat of the cam.
The spring can then raise the locking dog to release the shackle, and this
opens the lock.
Magnetic Locks
~~~~~~~~~~~~~~
Magnetic locks are a recent innovation to the security world. Their basic
operation involves the principle that like poles of a magnetic repel each
other, while opposite poles repel. A magnetic lock then does not have pins,
but magnets (which are often behind a plastic "roof" on the keyway). When all
these magnets are in the "repelled" position, meaning a similar magnetic pole
is below them, a lever arm releases the lock. A key then would have a magnet
arrangement identical to that of the lock. These locks may be activated either
by a flat, notchless key, or by use of a magnetic card, where in the lock
actually uses a two dimensional arrangement of magnets. These are not too
common, but can be found in some installations.
Opening Magnetic Locks
By using a pulsating electromagnetic field, you can cause the magnets in
the lock to vibrate at thirty vibrations per second, thereby allowing it to
open by applying constant tension to the bolt. You should be able to purchase
one of these "picks" from a locksmith supply company. Unfortunately, this
method usually ruins the properties of the lock's magnets, so use it in
emergencies only. The magnetic pick can be used in padlocks by stroking it
across the place where the key is placed. It is also designed to fit into a
doorknob and is then used by stroking one pole in and out.
Simplex 5-button combination locks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(*Hobbit*'s in-depth evaluation)
This deals with the Simplex or Unican 5-button all-mechanical combination
locks. They are usually used in a variety of secure but high-traffic
applications, and come in a number of flavors: dead bolt, slam latch, lock
switches for alarms, buttons in a circle or a vertical line, etc. The internal
locking works are the same across all of these. Herein will be described the
mechanical workings and a method of defeating the lock that falls out by
logical inference and observations from playing with it.
The internals
Caveat: If this seems unclear at first, it is because the absolutely best
way to understand the inner mysteries is to take a Simplex lock apart and study
it. It is highly recommended that the reader obtain and disassemble one of the
units while studying this; otherwise the following may be confusing. The
locking mechanism box is swaged together at each end, but it is trivial to open
up without destroying it. To set a lock up for study, remove the back, leaving
the front plate held on by its Jesus clip. Put a spare thumb turn down over
the shaft so you have something to grab. Take care not to lose the button
connecting pins; they drop out.
In the round configuration, the buttons talk via bent bars in the
faceplate to the same vertical column as the straight ones. Thus all buttons
henceforth shall be referred to as if they were in a straight vertical row,
numbered 1 to 5 reading downward. The actual locking mechanism inside is a
small metal box, about 3 inches high and .75 x .75 inch across the base. It
contains five tumblers, one corresponding to each button, a common shift bar,
and a couple of cams to handle reset and unlocking. The user dials the
combination and turns the handle to the right to open the lock, or to the left
to reset any dialed digits if he made a typo. If the proper combination has
not been dialed yet, the shaft will not turn to the right. Setting a
combination shall be described later. Some of the linear-style locks are
actually made by Unican, but have the Simplex box inside. For these, a
clockwise twist serves as both open and reset. There is a detent plate and a
screwy lever system; if the lock is not open yet, the lever cannot turn to the
*box*'s right. The detent slips, allows the levers to shift the other way, and
the box arm is then turned to the left. If the detent does not slip, it's
open, and the plate locks to the latch shaft and pulls it back.
Each of the five tumblers has six possible positions. Each button does
nothing but push its corresponding tumbler from the 0 position to the 1
position. Therefore, each button can only be used once, since once the tumbler
has moved, the button has no further effect. The trick comes when *subsequent*
buttons are pushed. Each button press not only shoves its tumbler from 0 to 1,
it also advances any "enabled" tumblers one more step. When a tumbler is
enabled, its corresponding gear has engaged the common bar and pushed it around
one position, so the next button press will do this again, thus taking
previously enabled tumblers around one more notch. This way, the further-in
tumbler positions can be reached. It can be seen that there are undialable
combinations; for instance, only *one* tumbler can reach position 5 for a valid
combination [Positions labeled 0 thru 5, totalling six]. If one sits down and
figures out possible places for the tumblers to go, many combinations are
eliminated right away, so the number of possibilities is *not* 6^5 as one might
expect. Two-at-once pushes are also valid, and are *not* the same as pushing
the given two in some other order. Pushing two [or three or ...] at once
simply enables two tumblers at once and shoves them to position 1 at the same
time. [This of course leaves less buttons unused to push them in farther!] The
tumblers themselves are small round chunks of metal, with gear teeth around the
top half and a notch cut into the bottom edge. When all these notches line up
with the locking bar, the lock is open. The tumblers are mounted on a vertical
shaft so they can spin, with the locking bar fingers resting against the bottom
of each one. The locking bar is prevented from rising if any notch is turned
away from it. Juxtaposed to the tumblers is another shaft containing idler
gears, which in turn talk to the common bar in the back. The intermediate
shaft slides up and down and makes combination changes possible. Note: The
buttons actually talk to the idler gears and not the tumblers themselves. This
is necessary since during a combo change, the tumblers cannot move because the
locking bar teeth are sitting in the notches.
[Editor's note: Simplex locks are set at the factory with a default code of
(2-4), 3. This is often not even changed.]
Combination change, other random facts
Once you know the current combination, you might want to change it.
Instructions for doing this undoubtedly come with the lock; but it's real easy.
There is a screw in the top with a hex hole; remove this from the lock body.
Dial the proper combination, but don't move the handle. Press straight down
through the hole with a small screwdriver, until you feel something go "thunk"
downward. The lock is now in change mode. Reset the tumblers [leftward
twist], enter your new combination, twist the handle as though opening the
lock, and your change is now in effect. Re-insert the screw. This does the
following: The thing you hit with the screwdriver pushes the tumblers down onto
the locking bar [which is why the proper combination must be entered], and
disengages them from their idler gears. Button presses turn the *idler*
*gears* around, and then the opening action shoves the tumblers back up to mesh
with these gears in their new positions. A subsequent reset mixes the tumblers
up again to follow the new combination. This description is admittedly
somewhat inadequate; the right thing to do is take one of the locks apart and
see for one's self what exactly happens inside.
The Unican model has a disk-locked screw on the rear side. Removing this
reveals a round piece with a flat side. Twist this clockwise to enable change
mode as in the above. This lock, of course, would be a little more secure
against random people changing the combination for fun since you ostensibly
need a key to get at it. Keep in mind that "reset" on these is done by turning
the knob all the way *clockwise* instead. There is a linkage that ensures that
the shaft inside goes counterclockwise for the time that change mode is
enabled.
It is amusing to hear local locksmiths call the Simplex internals a
"computer". It would seem that none of them have taken one apart to see what
is really inside; the box is painted black as far as they are concerned and
non-openable. Obtaining one is the unquestionably best way to learn what's in
there. Unfortunately they cost on the order of $120, a price which clearly
takes advantage of the public's ignorance. These locks are *not* pick-proof
after all, and anyone who maintains that they are is defrauding the customer.
There are a variety of ways to increase the picking difficulty, to be discussed
elsewhere. Your best bet is to borrow one from somewhere for an evening and
spend the time learning its innards.
Determining an unknown combination
Contrary to what the marketing reps would have you believe, the locks can
be opened fairly quickly without knowing the set combination and without
damaging the lock. Through a blend of a soft touch, a little hard logic, and
an implicit understanding of how the locking mechanism works, they generally
yield within five minutes or so. [There are *always* exceptions...]
This method requires that one does not think in terms of a sequence of
button presses. One must think in terms of tumbler positions, and simply use
the buttons to place tumblers where desired. For practical description
purposes, it will be assumed that the buttons connect right to the tumblers,
rather than the idler gears that they really do. The idler gears are a
necessary part only during combination changes. Unless you are doing a change,
considering it this way is pretty close to the facts. Remember that a 0
position means the button was never pushed, and 5 is enabled and shifted as far
as possible.
Turning the thumb handle to the right [clockwise] raises the locking bar
against the tumblers. Since the lock is never machined perfectly, one or more
tumblers will have more pressure on it than other ones, and this shows up as
friction against it when it is turned via the button. This friction is felt in
the short distance between fully-extended and the detent on the button [the
first 2 or 3 mm of travel]. Some will travel easily to the detent, and others
will resist efforts to push them in. Suppose you are twisting the handle, and
tumbler 1 has lots of pressure on it [you can feel this when you try to push
button 1 in]. When you back off the tension on the handle a little bit, the
button can be pushed in against the resistance. The fact that the button has
resistance at position 0 tells you that tumbler 1's proper position is *not* 0,
or there would be no pressure if the notch was there! Upon pushing button 1
in, you find that no pressure has appeared at any other button. This
eliminates position 1 for tumbler 1, also. Now, how do you get tumbler 1 to
different positions so you can test for pressure against other ones? Push
subsequent buttons. Push any other button, and tumbler 1 advances to position
2. Ignore what the other tumblers are doing for the moment. Now, perhaps
another button has some resistance now. This means that tumbler 1 is either at
the right position, or getting close. Basically you are using other tumblers
to find out things about the one in question. [Keep in mind that the first one
with friction won't *always* be tumbler 1! Any tumbler[s] could have the first
pressure on them.] Continuing, push another "don't care" button. A "don't
care" button is one that is not the one you're trying to evaluate, and not the
one that recently showed some friction. What you want to do is advance tumbler
1 again without disturbing anything else. Did the pressure against your test
tumbler get stronger, or disappear? If it got stronger, that points to an even
higher probability that tumbler 1 is supposed to be at 3, rather than 2. If
the pressure vanished or became less, 1 has gone too far, and you were safer
with it at position 2. Let's assume that the pressure against your test
tumbler increased slightly when tumbler 1 was at 2, increased even more when
tumbler 1 was at 3 and vanished when you pushed it onward to 4. Reset the
lock. You now know the proper position of tumbler 1 [that is, whatever tumbler
first had pressure on it]. You've already drastically reduced the number of
possible combinations, but you aren't finished yet.
You can now eliminate positions for the next one or two tumblers the same
way -- but to set things up so you can feel the pressure against these, you
must ensure that your newly-known tumbler [1 in this case] is in its proper
position. It is useful to make a little chart of the tumbler positions, and
indicate the probabilities of correct positions.
Positions
0 1 2 3 4 5
----------------
1 : L L + T L | <-- Indicates that tumbler 1 is not
0, not 1, maybe 2, more likely 3.
Tumbler 2 : | | | | | |
number
3 : | | | | | |
4 : L | | | | | <-- Indicates that tumbler 4 is not 0.
5 : | | | | | |
This chart is simply a bunch of little vertical lines that you have drawn
in a 5x6 matrix; the topmost row corresponds to button 1 and the lowest to 5.
Mark the probabilities as little hash marks at the appropriate height. The
leftmost bar indicates position 0, rightmost 5; a high mark on the left side
indicates that the tumbler is 0, or is never used. The relative heights of
your tick marks indicate the likelihood of the notch on the respective tumbler
being there. If you don't know about a position, don't mark it yet. This
chart serves as a useful mnemonic while learning this trick; as you gain
experience you probably won't need it anymore if you can remember tumbler
positions.
A tumbler at the 0 position is already lined up before any buttons are
pressed. This will feel like a lot of loose play with a little bit of pressure
at the end of the travel, just before the enable detent. Be aware of this;
often enough the first button with pressure can be a 0, and if you aren't
watching for 0 positions you can easily assume it's a don't care, push it, and
screw your chances of feeling others. Make sure your "don't care" test buttons
aren't supposed to be at 0 either. It's a good idea to run through and try to
find all the zeros first thing.
Let us continue from the above. You have found that tumbler 1 is most
likely to bet at position 3, with a slim chance of position 2. This is marked
in the above chart. The reason this can happen is that the tops of the locking
bar teeth are slightly rounded. When the tumbler is one away from its opening
position, the locking bar can actually rise higher, since the notch is halfway
over it already. So don't assume that the first increase in pressure on other
buttons is the right position for the one you're finding out about. Let's
assume that the next pressure showed up on button 4. You can feel this when
tumbler 1 is at position 3; to get tumbler 1 out there, let's say you used the
sequence 1,2,3. 2 and 3 were your "don't care" buttons used only to push 1
around. Therefore now, tumbler 1 is at position 3, 2 is at 2, and 3 is at 1.
5 and 4 are at 0, and can therefore be felt for pressure.
The next step is to find the proper position for the next button with
pressure against its tumbler. Many times you'll get more than one that exhibit
pressure at the same time. Figure out which button has more pressure on it now
with your first tumbler in the right position. In this example, only 4
applies. You now want to advance tumbler 4 to different places, *while*
keeping 1 at its proper place. 1 must always advance to 3 to free the locking
bar enough to press on other tumblers. To place tumbler 1 at position 3 and 4
at position 1, you would do something like 1,2,4 and check 3 and 5. To place
tumbler 1 at position 3 and 4 at 2, you would do something like 1,4,2. To
place 1 at 3 and 4 at 3, you have to press 1 and 4 at the same time, and then
advance that mess by two positions. If you use 2 and 3 for this, the notation
is (14),2,3, which means 1-with-4, then 2, then 3. You can also do 4,1,2,5 to
put 4 at 4 and check 3. If all these tests fail, that is, no pressure appears
at any other button, you can start assuming that 4 is supposed to be way out
there at position 5. For the example, let's say you did 1,4,2 and pressure
showed up on button 3. To double-check this, you did (14),2,5, and the
pressure on 3 went away. So tumbler 4 must have gone too far that time. Place
a fairly high tick mark on the chart at tumbler 4, position 2 to indicate the
probability.
Note: A better way to do that last test, to avoid ambiguity, is to do
1,(42),5 and check 3, then do (14),2,5 and check 3. This ensures that the only
change you have made is to move tumbler 4 from 2 to 3 an avoids the possibility
of movement of tumbler 2 giving bogus results. Through the entire process, you
want to try to change one thing at a time at every point. Sometimes one of
this sort of possible test setup won't tell you anything and you have to try
another one [in this case, perhaps 1,(45),2 and then (14),5,2 while checking 3.
This has simply swapped the positions of 2 and 5 during your testing].
You now know two tumbler positions, with a high degree of confidence, and
have further reduced the possible combinations. From here, you could mix
tumblers 2,3 and 5 into the sequence with various permutations, as long as you
place 1 and 4 correctly every time. This would still take some time and brain
work ... let's try to find out something about some other buttons. Place 1
and 4 where they're supposed to go ... the sequence 1,4,2 will do it, and see
what's up with the other buttons. 1,4,3 will leave 2 and 5 available. You
find eventually that 2 and 3 have the next bit of pressure distributed between
them [and are nonzero], and 5 feels like a 0, as described above. To confirm
this, advance 5 along with some other button and check 3. Bingo: There is no
pressure on 2 when 5 is enabled [and you have not changed anything else besides
5's position], so you can firmly decide that 5 is 0 after all. So leave it
there. [You did this by advancing 1 to 3 and 4 to 2, as usual, so you can feel
2's pressure in the first place.]
By now you should know the proper positions of three of the tumblers, and
have eliminated any other zeros by feeling their initial pressure. Now, since
2 and 3 have the next pressure on them, try and find out more about them. You
know they aren't zero; suppose we try 1? To do this you must get one of them
to 1, 1 to 3 as usual, 4 to 2, and leave 5 alone. How? Use hitherto unknown
buttons as dummies to position the tumblers right. For instance, the sequence
1,4,3 will do what you want here; you then check pressure on 2. Or 1,4,2 and
check 3. Here you may notice that the pressure on the leftover is a *little*
stronger than before, but not enough to make any sure judgement. Well, now you
want to advance an unknown to position 2 - but you suddenly notice that if you
do [by doing something like 1,(42),3] there are no free buttons left to test
for pressure! 'Tis time to try possibilities. Your only unknowns are 2 and 3
now. You must now advance 1 and 4 to their proper positions, leaving 5 alone,
while sprinkling the unknowns around in the sequence in different permutations.
Use your chart to remember where the known tumblers must go. Sometimes you get
two possibilities for a tumbler; you must work this into the permutations also.
In this particular example, you know that either 2 or 3 [or both!] must be the
last button[s] pressed, since *something* has to get pressed after 4 to advance
4 to position 2. An obvious thing to try is putting both the unknowns at
position 1 by doing 1,4,(23). Try the handle to see if it's open. No? Okay,
now leave one of the unknowns down at 1 and mix the other one around. For
instance, for 2 at 1 and 3 at 2, you do 1,(34),2 -- nope. Advance 3 one more;
(13),4,2 *click* -- huh?? Oh, hey, it's *open*!!
Well, when you are quite through dancing around the room, you should know that
your further possibilities here ran as follows:
3,1,4,2 ; to end the permutations with 2 at 1
1,(24),3 ; and permutations involving 3 at 1.
(12),4,3
2,1,4,3
One may see how things like 2,1,(34),x are eliminated by the fact that 1
must get to 3, and 5 must stay still. Since only 4 buttons could be used, no
tumbler can get to position 5 in this particular combination. Note also that
the farther *in* a tumbler has to go, the earlier its button was pressed.
If all this seems confusing at first, go over it carefully and try to
visualize what is happening inside the box and how you can feel that through
the buttons. It is not very likely that you can set up your lock exactly as
the example, since they are all slightly different. Substitute your first-
pressure button for the 1 in this example. You may even have one that exhibits
pressure against two or more tumblers initially. Just apply the
differential-pressure idea the same way to find their most likely positions.
The example is just that, to demonstrate how the method works. To really
understand it, you'll have to set your lock up with some kind of combination,
and apply the method to opening it while watching the works. Do this a few
times until you understand what's going on in there, and then you'll be able to
do it with the lock assembled, and then in your sleep, and then by just waving
your hands and mumbling....
A 5-press combination makes life a little tougher, in that you lose
versatility in your freedom of test positions, especially if your first-
pressure tumbler is at position 5. Here you can use the "almost" feature to
your advantage, and advance the errant tumbler to one before its proper spot,
and hope to see increased pressure on other tumblers. When a tumbler is one
away from right, the locking bar tab is hanging a large section of itself into
the tumbler notch, and the tab's top is slightly rounded. So it can rise a
little higher than before. If you twist the handle fairly hard, you can
distort the locking bar slightly and make it rise higher [but don't twist it
hard enough to break away the safety clutch in the shaft!] The chances of
someone setting this sort of combination without prior knowledge about the
*specific* lock are almost nonexistent.
As if that wasn't enough, the next thing to deal with is the so-called
"high-security" combinations involving half-pushes of buttons. The long
initial travel of the tumbler permits this. If you look at your open mechanism
and slowly push in a button, you'll see that the tumbler actually travels *two*
positions before landing in the detent, and further motion is over one position
per press. There is no inherently higher security in this kind of combination;
it's just a trick used against the average person who wouldn't think of holding
a button down while twisting the latch release. It's quite possible to defeat
these also. When you are testing for pressure against a tumbler set at
"one-half", you'll feel a kind of "drop-off" in which there is pressure
initially, and then it disappears just before the detent. Before testing
further buttons, you'll have to "half-enable" the appropriate "one-half"
tumblers so the locking bar can rise past them. Set your lock up with a couple
of combinations of this type and see how it works. Note that you must hold
down the "half" buttons just before the detent click while setting or opening.
This makes an effective 7 positions for each tumbler, but in a standard [no
"halfs"] setup, it's effectively 6. This is Simplex's "high-security" trick
that they normally only tell their high-dollar military customers about. After
working the lock over for a while, it's intuitively obvious.
The Unican type has no direct pressure direction of twist; if you turn too
far to the right you only reset the tumblers. What you must do is hold the
knob against the detent release just tight enough to press the locking bar
against the tumblers inside the box but not hard enough to slip the detent.
There is a fairly large torque margin to work with, so this is not difficult to
do. Unicans do not twist to the left at all, so ignore that direction and work
clockwise only.
Possible fixes
The obvious things improvements to make are to cut notches of some kind
into the locking bar teeth and the tumblers, so that the pressure can't be as
easily felt. Another way might be to have a slip joint on the locking bar that
would release before a certain amount of pressure was developed against it, and
thus never let the tumblers have enough pressure against them to feel. The
future may see an improved design from Simplex, but the likelihood does not
seem high. They did not seem interested in addressing the "problem".
Automotive Protection Systems
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There are several types of locking devices found on cars today. Standard
window locks, exterior locks, ignition locks, and the famous third party "club"
type steering wheel locks.
Wing or vent windows have several types of locking devices. The most
common is simply a lever that turns to prevent the window from opening.
Another type of wing window lock has a lever latch equipped with a plunger at
the pivot of the latch. The plunger deadlocks the latch against rotation,
unless the plunger is first pushed in and held until the initial stage of
rotation has been accomplished. Naturally, these are a bit more secure.
The most popular auto locks for the exterior and ignition are a derivative
of the wafer tumbler locks called the "side-bar wafer lock." Side-bar wafer
locks offer more protection then either the wafer tumbler or pin tumbler (of
course they cost more.) When all of the tumblers have aligned to their breaking
points, a spring-loaded bar falls into place, allowing the cylinder to turn.
Ford auto locks are an exception, as they have pin tumbler locks.
Club Type Locks
One of the "club" type auto locks is an extensible bar that has opposing
hooks that nominally wedge between spokes on the steering wheel. The bar
itself is notched at 1" intervals or so. The key on these is rather
impressive; it's a brass tube with at least three sets of chamfers drilled into
their sides.
Defeating Club Type Locks
The weak part of these locks is not the keyway; it's the extensible bar.
The notches provide built-in weak spots. The lock can be forced in about three
seconds. Do as follows (it helps to be relatively strong):
1) Put on weightlifting gloves.
2) slide driver's seat all the way back.
3) tilt driver's seat all the way down.
4) tilt steering wheel all the way down.
5) put your feet on ends of "club" (past the rim of the steering wheel)
6) grasp center of the notched extension bar. Don't interlace fingers,
just grab with your dominant hand and then grab over that hand in the other
direction with the other hand.
7) Take a deep breath
8) While smoothly exhaling, hold on tight with your hands and straighten
your legs. (classic leg press -- even Joe Average can exert twice his body
weight in this mode.)
9) "Club" will conveniently bend into a horseshoe or shatter at a convenient
notch, depending on the mood of the guy running the tempering furnace.
This is why you wear weightlifting gloves while doing this trick- it keeps
the steel fragments from cutting you.
There is another "club" that has a collar that wraps around a segment of
the steering wheel; these cost more, are much less common, and the above
technique does not work for them. However, you can hacksaw the wheel in one
place and "spring" the wheel enough to allow the collar to pop off the wheel.
Bend the wheel back, add some tinted epoxy, and you're clean.
Auto Alarms
More and more, people are using auto alarms to try to protect their
vehicles. Unfortunately, if somebody wants to steal your car, they will. No
amount of protection will prevent this. The strategy behind an auto alarm is
to make your car more of a pain to steal then somebody elses. Here are the
basics of car alarms.
The Brain
The main alarm unit, sometimes called the "brain", is mounted in the most
secure place that can be found. Up inside the dashboard for instance. They
basically took the whole dash apart, install the alarm, and then put the whole
dash together around it. Some places install the brain under a seat or even up
under the carpet on the passenger side ("so they can adjust it easier"). This
is incredibly stupid.
Starter Kill
Basically, when the alarm is armed, the starter is electronically
disconnected so the car cannot be started or even hot wired. Most alarms have
this as a standard feature.
Valet switches
This is a toggle switch that can be set to keep the alarm from going off
if the owner has to leave it with a valet or for car repairs. Most of the
systems have this feature.
Passive vs Active Arming
With passive arming, the alarm becomes armed after a given time period
after the last car door has closed. To disarm, you can either get in to the
car and place the key in the ignition within a certain time period or press a
button on a remote transmitter to disarm the alarm.
With active arming, you have to press a button on a transmitter to arm the
alarm. To disarm, you press the transmitter button again.
Arming and Disarming beeps
Most alarms give you an audible alert when the alarm is armed or disarmed.
This serves two purposes. One is to let you know the alarm is working and on
the job. The other is to let others know the car has an alarm.
Motion Sensors
Some alarms like the UNGO box and others have a motion sensor. In the
UNGO Box's case, it is a tube filled with mercury surrounded by a wire coil.
When the car moves, the mercury moves within the tube causing current to flow
in the coil. This is what sets the alarm off. Other have some type of spring
with a weight on it so when the car moves, the weight bobbles back and forth
and makes contact with the casing causing the circuit to be completed. The
former method has a patent, the latter has no patent because it is worthless.
If you have ever heard a parking lot full of alarms going off at an airport or
a parking deck, it is because of this type of sensor. These are prone to false
alarms from passing trucks, thunder, airplanes, etc.
The UNGO Box's sensor is highly adjustable, however, if you adjust it to
eliminate all false alarms, then you have basically disabled its usefulness for
triggering real alarms.
Shock Sensor
This is what comes standard on most alarms. It basically senses motion
like a motion sensor but scans a very short period of time. You can rock the
car and push up and down on it and the shock sensor will not go off. If you
kick a tire or hit the window or door with your fist, the alarm goes off.
Glass Breakage Sensor
What this is supposed to do is pick up on the particular high frequencies
of glass being broken or cut and to trigger the alarm. It is basically a
microphone placed somewhere inside the car.
Field Motion Sensor (Perimeter Guard)
Basically this is the type of sensor which sets up some type of field
around the car and inside the car to detect masses coming close to the car. It
is a must for convertible owners. These aren't as common as most other types
because of the extremely high cost. There are many cheap ones available to add
to any alarm, but they have nothing but problems with them (i.e. false
alarms). Some Alpine systems are designed especially for this type of sensor
and have a price tag to match.
They are basically useless on hard top cars. Some cheap units are set off
by anything. There is a car parked right outside of my classroom which is
always being set off by falling rain and passers by. Very annoying. There are
other fancy alarms which have a pre- recorded message like "Please step away
from the car ...". These are really stupid and a waste of money. I heard of a
new BMW being tortured by a group of kids throwing rocks at it just to hear the
little voice go off.
Current sensor
This basically monitors the current drain on the battery. If it changes,
i.e. a door is opened causing a light to come on, the alarm is triggered.
This is how many cheap alarms are triggered. They just monitor the current.
The doors and trunk are all protected because they have lights which will come
on when opened.
The problem is, most newer cars have a fan inside the engine compartment
which comes on even after the car is turned off. The resulting drain on the
battery will trigger a current sensor.
Seat pressure sensor
If someone sits in the seat, the alarm is triggered. Not very practical
unless on a convertible. By the time the thief is in your seat, your car or
your stereo is history anyway.
Backup Battery
This is an emergency backup battery for the car alarm. It charges off of
the car alternator just like the car's battery. If the car's battery goes dead
or if the power cables are cut, the battery can still run the alarm and the
siren. The alarm will remain armed.
With cheaper alarms and/or poor installations, some systems might end up
wired into the car in a haphazard way. Most alarms flash the car's parking
lights when activated. All a thief has to do is short out a parking light, set
your alarm off and whammo, your car and the alarm goes dead. Thief gets in,
replaces the right fuses and off he goes.
Automatic Door locks/Unlocks
Another neat feature is automatic door locking. This is an option on most
alarms. It uses what they call an "output" from the alarm which can be
programmed to do various things. Most installers set this up so that when the
alarm is armed, all doors lock and when the alarm is disarmed, all doors
unlock.
Pagers
A pager (sometimes called Autopage) is used to page the owner's beeper
when the car alarm goes off. This way they can run to the parking lot and
chase a potential car thief away or catch the person who just rammed in to your
car before they speed away. Pagers may also use up an "output" on the alarm
unit. Some hook on to the siren and are triggered off of the vibration when
the alarm goes off.
Transmitters
These of course are used to remotely turn the alarm on and off. It seems
that with cheaper and/or older alarms, it is possible to transmit all of the
codes in rapid fire sequence to a car alarm. Eventually, you will hit upon the
right code combination to disarm the alarm. The average alarm has around 2 to
the 29th codes which is not very many. Newer (and probably more expensive)
alarms can sense this and lock out any further attempts for a given time
period.
The Marlock System
~~~~~~~~~~~~~~~~~~
The Marlock System uses a key consisting of a piece of metal with holes
bored in it, and then covered up with strips of IR-invisible plastic. Thus,
you can't see anything in the plastic, but IR in the keyhole reader can see
thru just fine. It decodes this, sends it to a controller interface box, which
sends it to a controller PC, which says "cool or uncool", and if cool, then the
interface box sends power to the strike on the door, and turns the LED on the
reader green.
Each area that is to be accessed via Marlock must have some sort of reader
device. This can be either a "keyhole" in the knob, a plate on the wall with
the keyhole in it, or whatever. The reader is hooked up to a controller
interface box. this box is locked with a really poor lock (like you'd have on
your diskette box) and is located close to the area being secured, often in the
ceiling. The controller interface box simply provides power for the reader,
the little LED over the top of the reader, and the electric strike locking the
door. The whole thing is controlled by an IBM PC with a reader keyhole mounted
on the front of the PC which runs to an interface card inside the PC.
To program a key into the system, one simply inserts it into the keyhole
on the front of the PC, and then tells the program when and where this key can
work. This is stored in its database, and recalled by the reader as needed.
Also the PC keeps logs of when and where a key was used -- whether or not it
worked! There are audit trails all over the place.
If the power goes out, then whether or not the door opens is dependent
upon the strike which was installed. IT can be either fail-safe (i.e. no
power -- open!) or fail-secure (i.e. no power- lock!). However, for fire
safety code requirements, companies often install it on the side of the door
which allowed entry to a restricted area -- not exit.
Some of the Marlock cylinders have a small brass spot in the middle of the
LED. This is an emergency override. One would insert a marlock key, and use a
9V battery between the key and the pin to provide a signal to the interface
controller to pop the strike. This may not still be the case however.
Defeating the Marlock System
Since there's an electric strike all you have to do is provide power to
the strike so it'll release. This is usually 12-24 volts DC, and is easily
obtained from some lantern batteries. The activation wires for the strike
usually run down inside the door jamb from the controller interface box. And
if you have access to the controller interface box, then just pick the lock on
the front of it. The heavier wires are for the electric strike (the thin wires
are from the reader). Then just apply power to the thing -- use jumper wires
to get the power from the controller interface box...
VingCards
~~~~~~~~~
These cards are used primarily by hotels, and our quite unique. The lock
is a matrix of 32 pins which have two possible positions each [sort of like a
vax...]. Two of these are special and aren't really used in the keying. The
remaining 30 are constructed out of standard pin and driver parts, except that
all the drivers are the same length and all the pins are the same length. The
pin-driver combinations sit pointing upward [the springs are underneath] in a
sort of matrix about 1.5 inches on a side. Above each pin-driver combination
sits a steel ball. The entire matrix is enclosed in a *plastic* assembly, part
of which can slide "forward" [i.e. away from the user]. Some of you may be
familiar with the keys: white plastic cards about 3 inches long with a bunch of
holes in one end. Pushing this into the slot until it "clicks" forward opens
the locking mechanism.
The lock combination is set by inserting a similar card, only half as
long, into the *back* of the lock. This card is the same thickness as the
opening card and has part of the hole matrix cut out. A juxtaposition of this
combination card from the back and the key card from the front closes the
matrix: i.e. if you overlay the combination and key cards in their opening
configuration, there are no open holes left, *exclusively*: i.e. where there
is a hole on the combination card there is solid on the key card, and vice
versa. Thus the complement of the proper key card is the combination card.
This is enforced by the placement of the ballbearings and pins in relation to
the sliders and top plate, so a workaround like a card with all holes cut out
or a solid card does not open the thing.
The combination card slides in between the conical pin ends and the steel
ballbearings [and is thus harder to push in than the key card]. The key card
comes in over the balls, and its thickness pushes the balls under its solid
regions downward. So each pin assembly is pushed down, when the lock is open,
the same amount, be it by the key card hitting the ballbearing or the
combination card wedging the actual pin downward. Clarification: Let us define
a "1" pin as a hole in the opening card. Thus a "0" pin sits under a solid
portion of the opening card and a hole in the combination card. A 0 pin opens
as follows: Since the combination card lets the pin rise up against the steel
ball, the keycard pushes the ball [and its pin] down to the bottom of the
keycard slot. This brings that pin to its shear line. Simple. Here's the
magic -- a 1 pin opens in the following fashion: Since the combination card is
solid there, the steel ball is sitting directly on the combination card, and
the pin underneath is *already* at its shear line. If a solid keycard portion
arrives over this ball, the ball is pushed down against the combination card
and *pushes the entire area of the combination card down under it*, lousing up
not only that pin's shear line but probably a few around it. Although a clever
mechanism, this depends on the elasticity of the combination card to work.
Note that as the key card is inserted and removed, the combination card will be
flexed up and down randomly until the keycard comes to rest at its opening
position. [Correction to above: each pin really has *three* possible
positions. Hmm.]
All this happens within the confines of the sliding *plastic* frame; this
part carries the two cards, the balls, and the top halves of the pins. The
stationary part underneath this contains the drivers and springs. A metal
plate bolts down on top of the sliding piece, leaving a gap just big enough for
the key card. If the screws holding this plate were to become loose, the plate
would rise up, the key card would sit too high up, and the lock would not open.
All the positioning is done by the thickness of the keys while they rest
against the surfaces of their slots. Therefore a piece of thin cardboard will
not serve as a duplicate key. We found that two pieces of plastic "do not
disturb" sign, cut identically and used together, were thick enough to position
things correctly and open the lock.
A rough top view: Pin mechanism:
Back _ = top plate Front Back
o o o o <> = balls ________________________________
o o o H = keycard HHHHHHHHHHHHH<>HHHHHHHHHH<>HHHHHH ## QQ
o o o o O = comb. card --> QQ OOOOOOOO<>OOOOOOOOOOOOOOOOOOOOOO
o o o # = slider QQ# [] [] [] ## QQ
@ o o @ [] = pins QQ###[]####[]####[]#################
o o o || = driver/ QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ
o o o o spring asm QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ
o o o Q = stationary QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ
o o o o housing QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
Front
It is hoped that the diagram on the right, with its three example pins,
will show sufficiently that if two holes coincide the pin will rise too far,
and if two solid places coincide, the entire combination card would be pushed
down by the ballbearings. There is sufficient space underneath the combination
card for it to sag down and foul the shear line; it is normally held upward by
the pins' spring tension against the underside. This diagram may be misleading
if it is not understood that the balls are actually larger than shown; i.e.
the height of approximately three cards stacked up equals the diameter of the
ballbearing. There is a thin layer of slider plastic between the keycard and
the combination card, which separates them and retains the ballbearings.
The @'s in the top view are the two magic pins. These prevent the lock
from working at all unless a combination card is inserted. They are a bit
thicker than the other pins and do not have ballbearing parts. The slider
above the combination card slot here is solid, so these pins have nothing to do
with the keycard. They simply hold the lock shut if no combination card is
installed, regardless of what is done with a keycard. Therefore if one were to
make a combination card that only pushed down these pins, a solid keycard would
work. And if one inserts a solid combination card, the lock is already open
before you insert anything. [This is a useful hack that will allow anyone to
open the door with just about any tool, in case you are crashing lots of people
in a room, don't have enough keys, and don't feel like making more. Naturally
your security is compromised, but only those who know what's going on will be
able to get in.]
The slider has a bracket bolted on to it, which reaches down toward the
doorknob and pushes a moveable sleeve with a square hole through it. This
joins two sections of a three-section split shaft together, which allows the
outside knob to retract the bolt. The inside knob is "hardwired" to the bolt
action and always opens the door. The extra split in the shaft is so that with
the card in place, the lock will still behave like a regular split-shaft
knobset [and disable opening if the deadbolt is shot].
There is a hinged plastic door on the back [inside] of the lock, which is
held shut with a screwdriver tab inside a slot. This is where the combination
card goes, although this door exposes enough to see the entire slider mechanism
[except for its inner works; the entire back must be taken off to get the
slider out].
Now, the security evaluation: I see no clear way to "pick" it. The rear
pins are hard to get at without touching the frontmost ones. However, this
lock would be *very* easy to defeat, in the following fashion: A thin tool
about the thickness of a keycard and about .2 inch wide can cover one column of
ballbearings. If this tool is slowly slid straight into the slot along each
column in turn, the resistance encountered as it contacts each ball indicates
whether there is a hole or not underneath it in the combination card. The
combination card presses upward against the ball more strongly than the pin's
spring does, so this would allow one to map the combination card and then
construct the keycard complement. This process wouldn't take very long. I
therefore recommend that these locks be considered less than high-security.
Furthermore, come to think of it, a small hole drilled in the front plate
[which I doubt is hardened] would make it easy to frob the slider or split
shaft.
Electronic Hotel Card Locks
~~~~~~~~~~~~~~~~~~~~~~~~~~~
These are wonderful little microcomputer projects masquerading as door
locks. Inside there's a processor running a program, with I/O leads going to
things like the magnetic strip reader, or the infrared LEDs, and the solenoid,
and the lights on the outside. They are powered entirely by a battery pack,
and the circuitry is designed such that it draws almost nil power while idle.
The cards are usually magnetic-strip or infrared. The former uses an oxide
strip like a bank card, while the infrared card has a lot of holes punched in
it. Since IR light passes through most kinds of paper, there is usually a thin
layer of aluminum inside these cards. The nice thing about these systems is
that the cards are generally expendable; the guest doesn't have to return them
or worry about lost-key charges, the hotel can make them in quantity on the
fly, and the combination changes for each new guest in a given room. The hotel
therefore doesn't need a fulltime key shop, just a large supply of blank cards.
Duplication isn't a problem either since the keys are invalidated so quickly.
The controlling program basically reads your card, validates the number it
contains against some memory, and optionally pulls a solenoid inside the lock
mechanism allowing you to enter. The neat thing about them is that card
changes are done automatically and unknowingly by the new incoming guest. The
processor generates new card numbers using a pseudorandom sequence, so it is
able to know the current valid combination, and the *next* one. A newly
registered guest is given the *new* card, and when the lock sees that card
instead of the current [i.e. old guest's] card, it chucks the current
combination, moves the next one into the current one, and generates the new
next. In addition there is a housekeeping combination that is common to all
the locks on what's usually a floor, or other management-defined unit.
There is no wire or radio connection to the hotel desk. The desk and the
lock are kept in sync by the assumption that the lock won't ever see the "next"
card until a new guest shows up. However if you go to the desk and claim to
have lost your card, the new one they give you is often the "next" card
instead. If you never use it and continue using your old card, the guest after
you will have the wrong "next". In cases like this when the hotel's computer
and the lock get out of sync, the management has to go up and reset the lock.
This is probably done with a magic card that the lock always knows about [like
in ROM], and tells it something akin to "use this next card I'm going to insert
as the current combination". The pseudorandom sequence simply resumes from
there and everything's fixed. If the lock loses power for some reason, its
current memory will be lost but the magic "reset" card will work.
Rumor has it that these locks always have a back-door means of defeating
them, in case the logic fails. Needless to say, a given manufacturer's method
is highly proprietary information. In theory the security of these things is
very high against a "random guess" card since there are usually many bits
involved in the combination, and of course there is no mechanical lock to be
manipulated or picked. The robustness of the locking hardware itself sometimes
leaves something to be desired, but of course a lock designed for a hotel door
probably isn't the kind of thing you'd mount on your house.
Security Alarm Systems
~~~~~~~~~~~~~~~~~~~~~~
Security alarm systems are becoming more and more common in the home and
small business. They will become more and more popular in coming years as
their prices continue to fall. There are basically two types of systems, the
open circuit and closed circuit system.
The Open Circuit System
An open circuit system is composed of magnetic detectors or contacts that
are "normally closed." That means that their contacts are separated when the
door or window is in the normally closed position.When the door or window is
opened, the contacts are released, causing them to close. This allows current
to flow through the wires, and the alarm sounds. All the contacts and
detectors are wired in parallel. This means that current flows ONLY when any
contact or detector switch makes contact. Let me illustrate:
switch is open switch is closed
wire
----#############1############# ----#############1#############
#############2#############---
#############2#############----
########## wire
==========================
| MAGNET | (Magnet has been removed)
==========================
A Normally Closed Switch Assembly
In the first figure, the "normally closed" switch assembly, which would be
mounted about the door, is help open as the lower portion (#2) is pulled to the
magnet w
hich would be mounted on top of the door. The magnet has an attractive
force greater than the force of a spring which normally holds the two parts of
the switch closed. In this position, no current flows through the switch. In
the second figure, the door would be open, and thus the magnet not aligned
under the switch. Both halves of the switch have been returned to their
"normal" position, closed, by the spring.
The obvious disadvantage of an open circuit system is that it become
inoperative if a transmission wire is cut, a contact or terminal wire becomes
loose, or some similar condition. For this reason, circuit wiring for this
type is often concealed. The vulnerability of the system is minimized by a
test switch or key position which sends current through the main circuit wiring
and reveals any line breaks. This test lights a small warning lamp on the main
panel, bypassing the main alarm. This will only test the integrity of the
circuit, not individual detectors.
When the open circuit system is engaged, an alarm will occur immediately
if any doors are windows have been left open. Of course the alarm will also
sound anytime a door is used while the alarm is in operation. Many times a
bypass switch will be placed next to frequently used access ways. This can be
dangerous because someone can break a door or window pain, activate the bypass
switch, and have free access to the entrance.
The Closed Circuit System
In a closed circuit security system, low amperage current continuously
flows from the power source, throughout the detector switches, to the
supervising relay (a type of switch) in the control panel. The detector
switches are of the normally open type. This is the opposite of the normally
closed type. The magnet holds the normally open switch assembly together, so
current flows through the switch. When the magnet is removed, the switch
springs open, and current ceases to flow throughout the circuit. The
supervising relay monitors the current in the circuit, and should it be
interrupted (by a door opening and causing a detector switch to open), it will
activate the alarm buzzer, telephone dialer, siren, or whatever.
Note that in the closed circuit system, any attempt to cut the wires would
have the same effect as opening a detector switch. The current would be
interrupted and the alarm would sound. This makes the closed circuit a much
more secure system than the open circuit type.
The closed circuit system requires more sophisticated equipment and the
circuit installation must be precisely wired. Closed systems are also prone to
more frequent false alarms.
Security Alarm System Power Sources
The current for most systems comes from battery, transformer, or a
recharging pack. The recharging pack is a complete power supply providing 6-12
volts of power. This is enough to run several separate alarm circuits and even
a six volt telephone dialer. It is usually equipped with nicad backup
batteries in case of power failure.
Magnetic Detectors
I used the "Magnetic Detector" when explaining the closed and open circuit
types of security systems. These are by far the most common type of detectors
used. As discussed before, they are a two part assembly consisting of a magnet
and a switch. Both are encased in a weatherproof plastic case.
Tamper Switch or Plunger Contact
Another popular type of detector is the tamper switch. It may be used on
windows, alarm boxes, or control panels. It consists of a switch assembly with
a spring loaded "plunger" protruding from one end. It is available in both the
normally open and normally closed configurations.
All-Purpose (Bullet) Detector
This is a beveled button used primarily on doors or double-hung windows.
The button is installed in the hinged side of the door frame, recessed into the
frame. When the door is closed, the button is depressed. When opened, it of
course pops out.
Floor Mats
Pressure sensitive mats wired with open or closed circuits to make or
break contact when stepped upon are used as backup to perimeter security
systems such as rear entrance doors. They can be placed under regular
carpeting or loose rugs.
Door and Window Traps
These are basically "trip-wires" and aren't used too often. They do work
well in areas where conventional detectors would not work, and are
substantially cheaper than infrared. They can be placed in either a horizontal
or vertical configuration. For open circuit systems, an insulated plug is
placed between the contacts of the detector. When it is tripped, the plug is
pulled out, causing the detector's switch to close. For a closed circuit
system, one end of the trip wire is attached to one end of the switch, and the
other end of the trip wire to the other half of the switch. This way current
still flows in the circuit. When the wire is tripped, the circuit breaks.
Photoelectric Systems
Photoelectric systems transmit invisible pulse modulated beams from
projector/transmitter to receiver. Interruption of the beam sets off the
alarm. Although the system is designed primarily for interior used, military
systems have been developed for use on the exterior, even in dense fog.
Emergency Panic Button
This permits an alarm to be activated by use of a pushbutton located near
a front door, in a bedroom, or hidden under a counter. In a business, such a
button could be used as a "holdup" button, silently summoning the police or
activating the normal store alarm system.
Automatic Telephone Dialer
This is a device that will automatically call the appropriate telephone
number and relay a prerecorded message. These devices are often used to
contact the police, private security, or store officials. Of course, the
system is at risk if the exterior phone wires are accessible. For this reason
the phone wiring will be either incased in a steel sheath or wired for alarm.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
----------------------------------------------------
--- US Secret Service Radio Frequencies ---
-- --
- [From information gathered from Miles Barkman] -
----------------------------------------------------
President, Vice President, or other notable coming to town? Like to
know whats going on? Here is a handy reference guide to some of the known
frequencies used by the Secret Service. Should provide some interesting
scanning for you radio jocks out there.
Note: USSS=US Secret Service
WHCA=White House Communications Agency
Designation Frequency Primary Usage
------------------------------------------------------------------------------
Alpha 032.2300 MHz WHCA-Transportation
166.5125 MHz WHCA-Transportation
Able 032.2300 MHz ???????????
032.3200 MHz ???????????
Baker 165.7875 MHz USSS-Field Offices
Charlie 165.3750 MHz USSS-Field Offices/Protection
Delta 169.9250 MHz WHCA-Marine Security Detachment
Echo 407.8500 MHz WHCA-SAM Uplink
Foxtrot 415.7000 MHz WHCA-SAM Downlink
Golf 166.4000 MHz USSS-Field Offices
Hotel 167.9000 MHz WHCA-V.P. Staff/White House Garage
165.6875 MHz WHCA-V.P. Staff/White House Garage
166.2125 MHz WHCA-V.P. Staff/White House Garage
India 407.9250 MHz USSS-Headquarters
166.2000 MHz USSS-Headquarters
Juliett 170.0000 MHz USSS-Paging/Camp David
Kilo 167.8250 MHz Duplex Phone-Pres Res/LBJ
Lima 168.7875 MHz Duplex Phone-Pres Res/LBJ
Lavender 418.1250 MHz WHCA-Transportation
Mike 165.2125 MHz USSS-Dignitary/Former Pres Protection
November 166.7000 MHz WHCA-White House Staff
Oscar 164.8875 MHz USSS-Presidential Protection
Papa 164.4000 MHz USSS-Field Offices/Protection
Quebec ???.???? MHz ???????????
Romeo 166.4000 MHz USSS-Repeater Output
164.4000 MHz USSS-Repeater Output
Sierra 166.5125 MHz WHCA-White House Staff
Tango 164.6500 MHz USSS-Field Offices/Protection
Uniform 361.6000 MHz AF-1 Communications
165.0875 MHz AF-1 Communications
Victor 164.1000 MHz WHCA VP Protection
Whiskey 167.0250 MHz WHCA-Paging
X-ray 166.4625 MHz Treasury Common
Yankee 162.6875 MHz WHCA-Presidential phone uplink or downlink
Zulu 171.2875 MHz WHCA-Presidential phone downlink or uplink
Pres Nighthawk Aircraft Fleet (HMX)
-----------------------------------
Frequency Primary Usage
-----------------------------------
046.7500 MHz Transport
375.0000 MHz Transport
034.3500 MHz VIP Transport Net
142.7500 MHz Command Post
265.8000 MHz Squadron Common
Other Phone Patches
------------------------------------------------
Frequency Type Primary Usage
------------------------------------------------
407.4750 MHz (uplink) Nationwide-2
415.8000 MHz (downlink) Nationwide-2
407.4500 MHz (duplex) Limousines (Local/DC)
408.2000 MHz (duplex) Limousines (Local/DC)
USSS Uniform Division
---------------------------------
Designation Output / Input Freq
---------------------------------
Gray 418.350/407.750 MHz
Orange 418.775/414.950 MHz
Brown 414.850/418.800 MHz
Red 415.975/419.725 MHz
Silver 415.650/419.100 MHz
Yellow 414.675/418.150 MHz
Training Division: Beltsville, MD
---------------------------------
Designation Output / Input Freq
---------------------------------
Green 415.750/407.875 MHz
Black 415.100/418.325 MHz
Blue 414.800 MHz
Violet 415.800 MHz
Communications Division
---------------------------------
Designation Output / Input Freq
---------------------------------
Gold 415.675/419.075 MHz
Technical Security Division
---------------------------
Designation Frequency
---------------------------
F-1 408.000 MHz
F-2 411.000 MHz
F-3 408.500 MHz
F-4 408.975 MHz
Other Reported USSS Frequencies
---------------------------------------
Frequency Primary Usage
---------------------------------------
163.7375 MHz
164.6500 MHz
165.2250 MHz
165.6875 MHz Washington Field Office
166.2000 MHz Washington Field Office
406.2625 MHz
407.8000 MHz
407.8250 MHz Suit Radios
407.8750 MHz Suit Radios
407.9750 MHz
408.9750 MHz
Hints for monitoring
--------------------
Most of the interesting frequencies are USUALLY scrambled during actual
operations. However, 407.850 and 415.700 are never scrambled.
Sometimes, the best info on plane landings and limo locations and such can be
obtained through regular airport communications and local police.
The Secret Service has been known to occasionally use cellular communications.
The PL used extensively by USSS is 103.5 Hz.
Hearing the callsign "Air Force 1" means the President is on the plane. "Air
Force 2" is the Vice President's plane.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cellular Update
Well, they've done it again. The high paying special interest groups have
gotten yet another law passed. Now it is not only illegal to listen to
cellular communications, but illegal to even MAKE a tuner capable of tuning
them in! Never mind thats its just EMR floating through space, your body, your
house. It is ILLEGAL to tune a crystal to such and such frequency converting
the energy to audio. Ridiculous. People who broadcast their conversation
across the country side should have no expectation of privacy. Does everyone
have to cover their ears when I yell out the window to my friend? No, of
course not. The question of it being immoral or not should not be confused
with legality. Heres the new law.
SEC. 408. INTERCEPTION OF CELLULAR COMMUNICATIONS.
(a) AMENDMENT -- Section 302 of the Communications Act of 1934
(47 USC 302) is amended by adding at the end the following new
subsection:
(d)(1) Within 180 days after the date of enactment of this
subsection, the Commission shall prescribe and make effective
regulations denying equipment authorization (under part 15
if title 47, Code of Federal Regulations, or any other part
of that title) any scanning receiver that is capable of --
(A) receiving transmissions in the frequencies allocated to the
domestic cellular radio telecommunications service,
(B) being readily altered by the user to receive transmissions
in such frequencies, or
(C) being equiped with decoders that covert digital cellular
transmissions to analog voice audio.
(2) Beginning 1 year after the effective date of the regulations
adopted pursuant to paragraph (1), no receiver having the
capabilities described in subparagraph (A), (B), or (C) of
paragraph (1), as such capabilities are defined in such
regulations, shall be manufactured in the United States or
imported for use in the United States.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The HP3000's 'SECURITY/3000' system (part 3)
by Sterling
The third and final part of our series on HP3000 Security.
STREAMX/SLEEPER -- LINKS STREAMX WITH SLEEPER
*********************************************
INTRODUCTION
~~~~~~~~~~~~
A very popular program from the Contributed Software Library (CSL) is SLEEPER,
which can stream a job, run a program, or execute a command or any combination
of these at any specified time and repeat this action at specified intervals.
Many HP3000 sites use SLEEPER to launch job streams at specified times during
the day or night, and at regular intervals (for instance it might run a report
program each night at 12:00 and stream a job which does a sysdump at 7:00 a.m.
each Friday).
But to stream a job using SLEEPER, the MPE passwords must be embedded in the
job stream. A better solution would be to use STREAMX in conjunction with
SLEEPER and have STREAMX generate the passwords.
SLEEPER INSTRUCTIONS
~~~~~~~~~~~~~~~~~~~~
Those familiar with SLEEPER know that the file 'SLEEPCOM' must first be built
as follows:
:BUILD SLEEPCOM;REC=-72,4,F,ASCII;DISC=20,1,1
and then SLEEPERC (the SLEEPER communications program) is run to add entries to
the SLEEPER file. SLEEPERC will ask the date, hour, and minute when the
activity is to start. It will then ask if the activity is to run a program,
stream a job, or execute a command. The name of the proper disc file is asked
for next; then the repetition time in days, hours, and minutes (or 'none') is
requested.
The SLEEPER communication program may be used at any time to add, delete, or
list the current SLEEPER entries; even when the SLEEPER program is running.
(If you are having trouble adding entries, make sure the SLEEPCOM file is not
full.)
After the SLEEPER communication file is set up you may run the SLEEPER program
(either type ':RUN SLEEPER', or let OVERLORD [also from the CSL] run the
SLEEPER program automatically). SLEEPER will then determine the earliest time
that any activity must be executed, then "go to sleep" (via the PAUSE
intrinsic) until it is time to schedule that activity. In this way the SLEEPER
program is little load upon the system, as it is sleeping most of the time.
If a repetition time is specified for an activity then SLEEPER will update the
time to schedule that activity after it has been scheduled by adding the
repetition interval to the scheduling time. If no repetition interval is
specified then that activity is deleted from the communications file after it
is executed.
SLEEPERC is a program used to communicate with the SLEEPER program as it runs.
The OVERLORD program may be used to run SLEEPER or SLEEPER may be run alone
(usually as a batch job).
HOW STREAMX/SLEEPER WORKS
~~~~~~~~~~~~~~~~~~~~~~~~~
As you know, STREAMX gets passwords for job streams by prompting for them at
:STREAM time; but because SLEEPER is streaming the job, there is no one to
answer the passwords. Fortunately, SLEEPER is generally run by MANAGER.SYS (or
a user with SM capability), so STREAMX will automatically generate the
passwords for all job streams streamed by SLEEPER, since STREAMX's logic
dictates that an SM user never needs to answer any passwords because he can
retrieve them anyway.
To link STREAMX with SLEEPER, we need to run STREAMX in immediate mode,
equating the file we want to stream with STRMFILE and invoking STREAMX with
PARM=1.
Unfortunately, SLEEPER cannot run programs with parms, so instead of running
STREAMX, we run STRMSLEP, which simply invokes STREAMX with PARM=1.
LOGOFF -- LOGS OFF INACTIVE SESSIONS
************************************
INTRODUCTION
~~~~~~~~~~~~
Users often log on to the system, do some work, and then leave the terminal
unattended (coffee break?, lunch?) without logging off. Sometimes users even
go home for the day without logging off.
* SECURITY THREAT:
WALK UP TO TERMINAL
TAKE ADVANTAGE OF CAPABILITIES
DISCOVER MPE PASSWORDS TO SENSITIVE ACCOUNTS
This can be a security problem because this means that anyone can come up to a
terminal and use it without having to go through any security system. This can
be an even greater problem if the logged-on user is an Account Manager or the
System Manager because the would-be thief could take advantage of the extra
capabilities and gain access to sensitive information. (It's fortunate,
though, that you are using SECURITY/3000 because the personal profile answers
which must be known to gain access to the system are one-way
encrypted--otherwise, the would-be thief could do a :LISTUSER, :LISTGROUP, and
:LISTACCT, retrieve all the MPE passwords, erase all evidence that he did so by
clearing the screen, and then log on as that user at some later date.
* SYSTEM RESOURCE WASTE:
SYSTEM TABLES
MORE TERMINALS THAN PORTS
Another problem posed by having an idle terminal is that certain system
resources are being used unnecessarily. This can be of particular concern if
you are short on CST and DST entries, and especially if you have several users
contending for a limited number of ports through data switches or port
selectors. Why should an inactive session consume valuable resources?
Logged-on sessions at the end of the day also prevent you from doing your
backup.
LOGOFF remedies these problems. It permits the System Manager to ensure that
any terminal which is logged on but has not been actively used for a certain
length of time is automatically logged off.
HOW LOGOFF WORKS
~~~~~~~~~~~~~~~~
LOGOFF will log off qualifying sessions that have exceeded the acceptable
period of inactivity. You specify how much inactivity is acceptable and which
sessions are to be monitored for inactivity.
* REMOVES INACTIVE/UNWANTED SESSIONS FROM SYSTEM
* INACTIVE = READ PENDING AND NO CPU USAGE RECENTLY
* uses MPE :ABORTJOB #Snnnn
LOGOFF decides that a session is inactive if it's had a terminal read pending
for a long time (at least as long as the configured timeout period). For
example, if the timeout period is 20 minutes (1200 seconds) and some program
prompted the user for input 20 minutes ago and he still hasn't responded,
LOGOFF will abort that user. On the other hand, if the program's been working
for 20 minutes, or even been suspended waiting for a :REPLY (or anything else
that doesn't involve a terminal read), the program won't be aborted.
After you configure LOGOFF (see CONFIGURING LOGOFF in this section) you stream
a job which runs the LOGOFF program--the program will run "in the background"
all the time and monitor the system using a minimal amount of resources.
LOGOFF will perform an :ABORTJOB on inactive sessions--MPE will take care of
file closures, buffer posting, etc.
When a session is aborted by LOGOFF,
* a message saying that the session is being aborted due to lack
of activity is sent to that session's terminal (the text of
this message will default, but you may define your own)
* if the terminal is in BLOCK MODE (e.g. VPLUS screen),
LOGOFF will take the terminal out of this mode and display
its message below the screen.
* a message describing the logoff and identifying the LDEV of
the logged-off session is sent to the system console
* an entry is written to LOGOFF job stream's output
spool file indicating the session number aborted and the time
and date it was aborted
CONFIGURING LOGOFF
~~~~~~~~~~~~~~~~~~
You may configure logoff in a number of ways.
* ACCEPTABLE PERIOD OF INACTIVITY
* WHICH SESSIONS TO MONITOR (BY LDEV)
* SESSIONS CURRENTLY RUNNING PROGRAM
* BLOCK MODE HANDLING
* DS SESSION HANDLING
* ABORT MESSAGE TO BE SENT
First, you must specify the acceptable period of inactivity. This is done with
the $TIMEOUT keyword.
Next, you may optionally configure which sessions will have their activity
monitored by using the $TERMINALS keyword. This is done by defining the
"ldev-pool" of logical devices to be monitored.
Also, you may specify additional criteria to be checked by LOGOFF before the
inactive terminal is aborted (e.g. that sessions running a particular program
should not be aborted).
Furthermore, you may configure how LOGOFF will deal with sessions which have
qualified to be logged off. This includes BLOCK MODE handling, DS SESSION
exclusion, and the MESSAGE to be sent to the user.
If you specify only the $TIMEOUT period, logoff will by default:
* monitor sessions on any logical device
* exit a terminal from block mode and then display message
* not abort sessions with a DS session
* display the default logoff message
* abort sessions running any program
If you have already configured LOGOFF and wish to change something in the
configuration while LOGOFF is running, you need not abort the LOGOFF job and
re-start it--just make the changes to the configuration file and they will take
effect right away (or, rather, the next time the LOGOFF program reads the
LOGOFF data file).
The configuration information for LOGOFF is kept in the file
LOGOFF.DATA.SECURITY and each time you make a change to it by KEEPing the file
from the :EDITOR you must:
:ALTSEC LOGOFF.DATA.SECURITY;(R,X,A,L,W:CR)
SPECIFYING WHICH LOGICAL DEVICES ARE TO BE MONITORED
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You may specify which logical devices are to be monitored by LOGOFF. The LDEVs
to be monitored are referred to as the "ldev-pool". This "ldev-pool" is
defined by adding a keyword and a list of LDEVs to the LOGOFF.DATA.SECURITY
file. If you specify to INCLUDE a list of LDEVs, the "ldev-pool" will be that
list of LDEVs. If you specify to EXCLUDE a list of LDEVs, the "ldev-pool" will
be all the LDEVs configured as terminals which are not in your EXCLUDE list.
Either add a line to INCLUDE certain terminals:
$TERMINALS INCLUDE ldev ldev ldev ldev ldev ...
or to EXCLUDE certain terminals:
$TERMINALS EXCLUDE ldev ldev ldev ldev ldev ...
where 'ldev' is any logical device number (e.g. '21 38 40 47') which are
included in or excluded from the logoff "ldev-pool".
LOGOFF will monitor only the sessions logged on to the LDEVs in the logoff
"ldev-pool". The LDEV which is the system console is always excluded from the
"ldev-pool" (even if it is switched from LDEV 20).
If all the LDEVs you need to specify do not fit on a 72-character line, you may
put them on several lines as follows:
$TERMINALS INCLUDE 22 23 24 25 27 29 30 31 32 33 35 37
38 39 47 48 55 56 57 58
If neither a $TERMINALS INCLUDE or $TERMINALS EXCLUDE line is contained in the
file, all LDEVs (except the console and all DS sessions) will be included in
the "ldev-pool". Regardless of what you specify, LOGOFF will only monitor
LDEVs which are configured as type = 16 (terminals).
NOT LOGGING OFF SESSIONS RUNNING A SPECIFIED PROGRAM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
After LOGOFF has qualified a session by LDEV and inactivity, you may
additionally specify that sessions running a particular program not be aborted.
This means that programs such as FORMSPEC.PUB.SYS which often have long periods
of inactivity (due to screen design) may be specified to logoff as being
special and that regardless of inactivity this session should not be logged off
while running this program. To configure LOGOFF to EXCLUDE logging off
sessions running a particular program add a line to LOGOFF.DATA.SECURITY:
$PROGRAMS EXCLUDE program program program ...
where 'program's are fully qualified program names (e.g. ENTRY.PUB.SYS
FORMSPEC.PUB.SYS).
If no $PROGRAMS is specified, this check is not performed.
RESTRICTING LOGOFF BY USERS
~~~~~~~~~~~~~~~~~~~~~~~~~~~
With $TERMINALS INCLUDE and EXCLUDE, you can have LOGOFF abort only those
inactive sessions which are running on certain terminals (or, for EXCLUDE,
running on any terminals EXCEPT the ones given). With $PROGRAMS INCLUDE and
EXCLUDE, you can restrict LOGOFF to only look at terminals that are running (or
not running) certain programs. Similarly, with $USERS INCLUDE and EXCLUDE, you
can specify which users should or should not be aborted due to inactivity.
Say, for instance, that you don't mind people walking away from their terminals
whenever they're signed on to non-sensitive accounts. The only accounts that
you really want LOGOFF to work on are AP, GL, and SYS. You can just add the
following line to your LOGOFF.DATA.SECURITY file:
$USERS INCLUDE @.AP @.GL @.SYS
Whenever LOGOFF sees an inactive session, it will check to see if it's logged
on to one of those three accounts; if it isn't, LOGOFF won't touch it.
Similarly, there might be some specific users that you don't want to abort.
BIG.CHEESE, for instance -- your boss -- gets very aggravated when he gets
kicked off the system, and the fact that he shouldn't leave his terminal
inactive doesn't sway him. Rank has its privileges, after all, and you can
just say
$USERS EXCLUDE BIG.CHEESE
Actually, you can be very specific in who you include or exclude. As the first
example above showed, you can specify user identifiers with wildcards (@.AP,
CLERK@.GL, JOE.@, etc.); also, you can select by session name and group name as
well as user name and account name, so you can say
$USERS EXCLUDE JOE,@.DEV,SOURCE
which will exclude sessions signed on with session name "JOE" into the "SOURCE"
group of the "DEV" account.
If you have neither a $USERS INCLUDE nor a $USERS EXCLUDE line in the
LOGOFF.DATA.SECURITY file, LOGOFF will abort inactive sessions regardless of
their user id (although the $TERMINALS and $PROGRAMS restrictions still apply).
This is a pretty good default, since usually any inactive session is not a good
thing to have around.
DS SESSIONS - TO ABORT OR NOT TO ABORT (THAT IS THE OPTION)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LOGOFF may be configured to abort sessions regardless of whether they are a
local or remote DS-session. By default, LOGOFF will not abort any DS-session.
You may perform the abort by configuring the LOGOFF.DATA.SECURITY file with the
keyword:
$DSABORT
This will cause DS-sessions to be aborted.
SAMPLE CONFIGURATION
~~~~~~~~~~~~~~~~~~~~
EXAMPLE1: If the LOGOFF.DATA.SECURITY file contained the following:
$TIMEOUT 900
$TERMINALS EXCLUDE 33 36 38 39 45
$PROGRAMS EXCLUDE FORMSPEC.PUB.SYS ENTRY.PUB.SYS
then LOGOFF would abort all sessions that were all of the following:
Inactive for more than 900 seconds (15 minutes)
AND logged on to an LDEV other than 33,36,38,39 or 45
AND running a program other than FORMSPEC.PUB.SYS and ENTRY.PUB.SYS
EXAMPLE2: If the LOGOFF.DATA.SECURITY file contained the following:
$TIMEOUT 1200
$TERMINALS INCLUDE 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
48 49 50 51 52 53 54 55 56 57 58 59 60
then LOGOFF would abort all sessions that were:
Inactive for more than 1200 seconds (20 minutes)
AND logged on to an LDEV from 33 to 60 inclusive.
ACTIVATING LOGOFF
~~~~~~~~~~~~~~~~~
To have LOGOFF continually monitor the system and abort idle sessions (using
the parameters you have configured in LOGOFF.DATA.SECURITY) you need to stream
a job which runs the LOGOFF.PUB.SECURITY program, which wakes up every so often
(using a minimal amount of system resources) and aborts all sessions which
should be aborted, according to your configuration in LOGOFF.DATA.SECURITY.
The logoff job stream is stored in the file
LOGOFF.JOB.SECURITY
which does not contain any passwords on the job card, so STREAMX should be used
to stream the job (see the "STREAMX" section of this manual for information
about eliminating passwords in job streams). Just do this:
:FILE STRMFILE=LOGOFF.JOB.SECURITY
:RUN STREAMX.PUB.SECURITY;PARM=1
STOPPING LOGOFF
~~~~~~~~~~~~~~~
"A car needs to be able to do only two things -- to go and to stop."
A LOGOFF job stream is just a 'plain vanilla' MPE job. If you want to abort
it, you can just do an :ABORTJOB, just like you would for any job of your own.
On the other hand, MPE's :ABORTJOB is sometimes rather temperamental. Surely
you, as a system manager, have often encountered sessions that just won't go
away -- no matter how many :ABORTJOBs are done, they're still there; sometimes
you even have to re-start the system if you want them removed.
This is why it's a good idea for all background tasks, like LOGOFF, to have
some normal shutdown procedure, which can let somebody stop them without having
to do an :ABORTJOB. To do this, you just
:RUN LOGOFF.PUB.SECURITY,STOP
This will send a message to the LOGOFF job stream using a message file; LOGOFF
will catch this message and perform an orderly shutdown of itself. Of course,
you can still do an :ABORTJOB of the job stream if you want to, but we think
that the ":RUN LOGOFF.PUB.SECURITY,STOP" is a cleaner solution.
Note that there's no reason why you have to abort the LOGOFF job stream when
you do a system backup. Just keep it running.
PASCHG-changing MPE passwords
*****************************
INTRODUCTION
~~~~~~~~~~~~
To protect the security of their systems, many installations encourage (or
require) MPE passwords to be changed periodically. That way, by the time a
password gets out over the "grapevine," it will have been changed.
Unfortunately, MPE's security system makes changing user passwords rather
difficult. Since only an Account Manager--not the user himself!--can change a
user password, changing passwords is actually discouraged. A user may feel
reluctant to spend time getting in touch with his Account Manager about
changing a password (even if he, the user, suspects it has been compromised);
an Account Manager is very likely to put off changing passwords if it means
changing them for 100 users in his account.
A very good solution to this problem--in fact, one implemented on most other
computer systems--is to allow a user to change his own password. Since the
user is allowed to change only his own password (not other users'), this poses
no security threat; in fact, it actually improves security by making it easier
for a user to get his own password changed.
HOW PASCHG WORKS
~~~~~~~~~~~~~~~~
A user may run the PASCHG program, which first prompts him for his current MPE
user password (if he has one). The user must enter the correct password in
order to change it--this protects against somebody walking up to a logged-on
terminal while its real user is away and changing the password (although
SECURITY/3000's LOGOFF program is a better solution to this problem.
After the user has correctly entered his current password, he is asked for a
new password. After he enters the new password, he is asked to enter the same
password again, to make sure that he did not enter it incorrectly the first
time. If he enters a different password the second time, PASCHG assumes that
he has made a typo and repeats the new password sequence.
Once the user has entered a new password (and entered the same password again,
guaranteeing that it's the one he really wants), his password is changed.
A user is not allowed to use PASCHG to remove his own password, since the
Account Manager might often want to require his users to have passwords;
therefore, if the user hits <return> when asked for the new password, an error
message will be printed and the password will remain unchanged.
PASCHG also forbids a user from changing his password to the same value, as
that would defeat the purpose of changing the password.
HOW TO SET UP PASCHG
~~~~~~~~~~~~~~~~~~~~
The PASCHG program is
PASCHG.PUB.SECURITY
Any user may :RUN it, and the easiest way to do this is to set up the UDC
"PASCHG" so that a user may type just one word to invoke the program.
We recommend that you set the PASCHG UDC at the system level so that all users
may run it:
:SETCATALOG CHGUDC.PUB.SECURITY, YOURUDCS.PUB.SYS; SYSTEM
That way, a user need merely type
:PASCHG
and the PASCHG system will be invoked.
Certainly, there are some HP3000 installations whose security systems operate
in such a way that they don't want users changing their own passwords. A good
example of this is when several people share a single user ID, and you don't
want one of them to change their joint password (although for this kind of
application, SECURITY/3000's security-by-session-name should be used.
If you don't want your people running PASCHG.PUB.SECURITY, simply put a
lockword on this file or remove it entirely from the system. No other part of
SECURITY/3000 depends on it, so all the other components of SECURITY/3000 --
the Logon Security System, LOGOFF, OBSOL, TERMPASS, STREAMX, etc. -- will
still function as well as always.
EXAMPLE OF A PASCHG SESSION
~~~~~~~~~~~~~~~~~~~~~~~~~~~
A typical session with PASCHG might look like:
:PASCHG << a UDC that runs PASCHG.PUB.SECURITY >>
SECURITY/PASCHG Version 0.2 (VESOFT, Inc. (C) 1985)
Please enter your current user password: << user enters it >>
Please enter your new user password: << user enters 'FOO' >>
Please enter the same password again: << 'FOO' again >>
Password changed.
Note that none of the password inputs are echoed; furthermore, if the user
wanted to abort the change any time until he entered the new password the
second time, he could do so by hitting <control-Y>.
PASCHG/OBSOL INTERFACE
~~~~~~~~~~~~~~~~~~~~~~
PASCHG works well with OBSOL, SECURITY/3000's MPE Password Obsolescence System
since with PASCHG the Account Manager isn't burdened with having to change
dozens of passwords at the end of every month. However, in order for OBSOL to
"know" that a password has been changed with PASCHG, PASCHG has to be told to
tell OBSOL that a change is being made.
If you run PASCHG.PUB.SECURITY with ;PARM=1, it will invoke OBSOL and tell it
that the password is being changed.
So if you use OBSOL, your :PASCHG UDC ought to look like:
PASCHG
RUN PASCHG.PUB.SECURITY;PARM=1
(whereas if you don't use OBSOL, the ';PARM=1' should be omitted). In fact,
the OBSUDC.PUB.SECURITY UDC file, which contains all the UDCs relevant to
OBSOL, contains this PASCHG UDC as well.
Note that when a user changes his own password, he is not allowed to change the
obsolescence period and warning period (as is normally the case when an Account
Manager changes a user's password). This is done because the Account Manager
might not want users altering the obsolescence period, perhaps lengthening it
to the point where passwords no longer have to be changed frequently.
Note: you may configure OBSOL to run PASCHG automatically when the user
password is within its warning period (see OBSOL).
In addition, PASCHG may be invoked automatically from OBSOL so that if a user
logs on and is warned that his password will expire, PASCHG will be run
automatically to permit the user to change his password at that time. This can
further automate the process of password maintenance because a user does not
have to know what program to run, what UDC name to type, or whom to contact to
get his password changed.
The following UDC may be used instead of OBSOLUDC to invoke the OBSOL system.
As you can see, OBSOL will set a JCW which the UDC recognizes to run the PASCHG
program. This UDC is stored as the file OBCHGUDC.PUB.SECURITY.
OBSLOGON
OPTION LOGON, NOBREAK
RUN OBSLOG.PUB.SECURITY
IF SECURITYANSWER = 1 THEN
BYE
ELSE
IF CHGUSERPASS = 1 THEN
RUN PASCHG.PUB.SECURITY;PARM=1
ENDIF
ENDIF
ENFORCING PASSWORD STANDARDS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You may configure PASCHG to edit passwords that your users specify for
themselves. This editing may be used to enforce minimum password length in
addition to specific alpha, alphanumeric and numeric character patterns. The
edit characters used are similar to COBOL's. The 'edit pattern' is specified
by adding a line to the file SECURMGR.PUB.SECURITY in the format:
PASCHG-EDIT=<edit pattern>
Where the <edit pattern> conforms to the following rules:
'X' is any alphabetic [a..z] or numeric [0..9]
'A' is any alphabetic character
'9' is any numeric character
For example:
PASCHG-EDIT=AXXX enforces 4 character minimum password length
PASCHG-EDIT=AXXX9 enforces 5 character minimum password length
one alpha, three alphanumeric, one numeric
PASCHG-EDIT=AAAAAAAA enforces 8 character minimum password length
all alpha
Regardless of what is specified by PASCHG-EDIT, as per valid MPE password
format, the first character of the edit pattern will be assumed to be an 'A'
(alpha) when editing the password input. If the new password is longer than
the edit pattern specified in SECURMGR.PUB.SECURITY, those characters are not
edited.
If no PASCHG-EDIT keyword is found in the SECURMGR.PUB.SECURITY
file, PASCHG will use the default edit
pattern of 'AXXX' indicating a
minimum four character password.
GETPASS: A PROCEDURE TO GET ONE'S OWN PASSWORD
**********************************************
INTRODUCTION
~~~~~~~~~~~~
There is an unfortunate deficiency in MPE which forbids a user from retrieving
his own passwords; this necessitates programmers who are building and
:STREAMing streams from inside their programs to embed passwords into those
programs, which makes the necessary (mandatory?) operation of changing
passwords once in a while simply unfeasible. The user-callable procedure
GETPASS is designed to remedy this state with it, any user is allowed to
retrieve his own passwords (which is certainly not a security threat, as he
needed to know them to sign on; also, for convenience, the system manager is
allowed to retrieve the passwords of ANYBODY (for he is god anyway), and the
account manager may retrieve the passwords of anybody in his account. Thus,
with GETPASS a programmer can call WHO, find out his user, group, and account
names, call GETPASS, and retrieve his passwords; then, it is easy to insert
these passwords into the job card. Thus,a hard-to-maintain embedded passwords
can be avoided.
GETPASS has the following parameters:
PARAMETER 1: USER - The user to get passwords for.
2: ACCOUNT - The account to get passwords for.
3: GROUP - The group to get passwords for.
4: PASS-USER - The user password.
5: PASS-ACCT - The account password.
6: PASS-GROUP- The group password.
7: ERR - FALSE = everything went OK; TRUE = security
violation or nonexistent user, account,
or group.
GETPASS needs to use privileged mode (PM) capability for its execution;
however, it uses it in a safe fashion and has NEVER caused a system failure
yet! Note that programs calling GETPASS need not be PREPed with PM capability;
it must reside in an SL in a group and account containing PM capability (like
SL.PUB.SYS). To add GETPASS to the system SL, you need merely do a CP\INDEX
GETPASS.PUB.SECURITY
:HELLO MANAGER.SYS
:SEGMENTER VX
-SL SL Z@
-USL GETPASS.PUB.SECURITY
-ADDSL GETPASS
-EXIT
GETPASS can be called from COBOL in the following way:
USER PIC X(8).
ACCOUNT PIC X(8).
GROUP PIC X(8).
PASS-USER PIC X(8).
PASS-ACCOUNT PIC X(8).
PASS-GROUP PIC X(8).
ERROR PIC S9(4) COMP.
.
..
CALL "GETPASS" USING USER, ACCOUNT, GROUP, PASS-USER, PASS-ACCOUNT,
PASS-GROUP,ERROR.
IF ERROR IS NOT EQUAL TO 0 THEN << An error occurred >>
DISPLAY "SECURITY VIOLATION OR BAD USER, ACCOUNT, OR GROUP"
STOP RUN.
A real live example of a FORTRAN program calling GETPASS:
$CONTROL NOSOURCE, USLINIT
PROGRAM TEST GETPASS
INTEGER USER(4), ACCT(4), GRUP(4), UPAS(4), APAS(4), GPAS(4)
CHARACTER *8 BUSER, BACCT, BGRUP, BUPAS, BAPAS, BGPAS
EQUIVALENCE (BUSER,USER),(BACCT,ACCT),(BGRUP,GRUP), (BUPAS,UPAS),(BAPAS,
APAS),(BGPAS,GPAS)LOGICAL ERR
DISPLAY "ENTER USER: "
ACCEPT BUSER
DISPLAY "ENTER ACCOUNT: "
ACCEPT BACCT
DISPLAY "ENTER GROUP: "
ACCEPT BGRUP
CALL GETPASS (USER, ACCT, GRUP, UPAS, APAS, GPAS, ERR)
IF (ERR) DISPLAY "ERROR: SECURITY VIOLATION/BAD PARAMETER"
IF (ERR) GOTO 10
DISPLAY "USER PASSWORD=",BUPAS
DISPLAY "ACCOUNT PASSWORD=",BAPA
DISPLAY "GROUP PASSWORD=",BGPAS
10 STOP
END
FILES IN THE SECURITY ACCOUNT
*****************************
INTRODUCTION
~~~~~~~~~~~~
Lastly, I want to list some things you may see in your explorations. There are
many interesting files to be found withing the SECURITY account. Here is a
list and description of the common file you may find there:
DATA group: Data files
~~~~~~~~~~~~~~~~~~~~~~~
ANSSCHEM - Schema of the database ANSWER (might be used to increase
database capacity; default is 500 records).
ANSWER - IMAGE database which contains information about PERSONAL
PROFILE LOGON IDs (one-way encrypted passwords, access
restrictions, menu file names, etc.).
LOG - Circular disc file to which all attempted security
violations and security configuration changes are logged.
LOGOFF - Specifies logical devices to be monitored and the length
of inactivity required prior to a session being aborted.
MEMOFORM - Memo format for attempted violation listings which may be
customized to provide more or less detail.
OBSSCHEM - Dbschema input file for the image database OBSOL.
OBSOL - IMAGE database specifying the date by which MPE GROUP, USER
and ACCOUNT passwords must be changed (warning period, too).
QUESTION - During SECURITY/3000 logon the user must answer a question
randomly selected from this file (built by user; personal
profile questions are recommended).
TERMPASS - Specifies logical devices which will be protected with
passwords. Protection for dial-ups, DS lines, etc.
DOC group: Documentation files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ANORDER - Contains the DOC file names in the order in which they
should be printed.
CONTENTS - Table of contents for the SECURITY/3000 manual.
FILES - Describes the files in the SECURITY account.
GETPASS - Explains how to build job stream file in application
programs without jeopardizing system security.
HOW2LIST - Describes how to print the documentation files provided
in the DOC group with the MPEX 'USER' command.
INTRO - Overview of SECURITY/3000 package.
LOGOFF - Explains why idle sessions are a security threat. Step
by step instructions of how to configure logoff.
NEWFEATR - New features in SECURITY/3000.
OBSOL - Describes how the password obsolescence subsystem insures
the frequent changing of MPE passwords.
ONLINE - Describes the Logon Security System which protects against
online logon access.
PASCHG - User (not account manager) changeable passwords.
REFS - List of SECURITY/3000 published references.
STREAMX - Manual for STREAMX/3000 which provides batch access
security and parameter passing to job streams.
TERMPASS - Documentation of TERMPASS, which allows protection of
logical devices (DS line, dial-in lines, console, etc).
HELP group
~~~~~~~~~~
HELPMAKE - The stream to modify USER.HELP.SECURITY file.
USER - The HELP file for SECURITY/3000.
JOB group: Job streams
~~~~~~~~~~~~~~~~~~~~~~~~
LOGOFF - Job stream which runs the program LOGOFF.PUB to monitor
sessions' CPU usage and logoff idle terminals by LDEV.
PAPERS group: Security-related papers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ANAHEIM - "BURN BEFORE READING - HP 3000 SECURITY AND YOU",
HPIUG 1983, Anaheim, CA USA.
COPNHAGN - "SECURITY/3000: A new approach to logon security",
HPIUG 1982, Copenhagen, DENMARK.
PROFILE - "PRODUCT PROFILE: SECURITY/3000",
SUPERGROUP Association Newsletter, July 1982.
PUB group: Program files, USLs, UDCs, etc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FINDCAP - A program to list dangerously capabilitied users and show
if they have an MPE password. QUITE handy...
LOGOFF - Program which logs off idle sessions.
OBSCHG - Password OBSOLescence database update program.
OBSFILL - OBSOLescence data base initialization program.
OBSLOG - MPE passwords obsolescence program.
OBSOLUDC - Log-on UDC file for MPE passwords obsolescence subsystem.
OBSUDC - UDC file for MPE passwords obsolescence subsystem.
PASCHG - The program which lets users change their own password.
QGALLEY - Program to format and print DOC files.
SECURMGR - Control file containing SECURITY/3000 global parameters.
SECURUDC - Log-on UDC file for users protected by SECURITY/3000.
SECURUSL - USL file for the callable SECURITY procedure.
SESSION - USL file for GETSESSION procedure.
STREAMX - STREAMX/3000 program which provides batch access
security and parameter passing to job streams.
STRMSLEP - The SLEEPER/STREAMX interface program (see STREAMX.DOC).
STRMUDC - UDC file containing a UDC to invoke STREAMX.
TERMPASS - Program which verifies terminal (LDEV) passwords and/or
interfaces with USER program for positive user identification
TERMUDC - Log-on UDC file for users using TERMPASS.
USER - The main SECURITY/3000 program.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Informatik Submission & Subscription Policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Informatik is an ongoing electronic journal, and thus we are faced with
the ever present need for a steady influx of new material. If you have an
area of interest or expertise that you would like to write about, please do
not hesitate to contribute! We depend on reader submissions!! We do ask that
any submissions fit the following guidelines...
General Content
~~~~~~~~~~~~~~
Material for Informatik should concern information of interest to the
computer underground community. Examples of this include, but are by no
means limited to hacking and phreaking, governmental agencies, fraud,
clandestine activity, abuse of technology, recent advances in computing
or telecommunications technology, and other of information not readily
available to the public. Please include a title and author name.
Text Format
~~~~~~~~~~
* standard ASCII test
* 79 characters per line
* no TAB codes
* no special or system specific characters
* mixed case type
* single spaced, double space between paragraphs
* no pagination
News submissions
~~~~~~~~~~~~~~~
* Submit only recent news items
* Include the headline or title of the article
the author's name (if given)
the publication of origin
the date of publication
* Don't submit news that has appeared in other e-text journals
Subscription policy
~~~~~~~~~~~~~~~~~~
We are happy to provide an Internet based subscription service to our
readers. To be on our mailout list, send mail to our Internet address,
"inform@grind.cheme.cmu.edu" and include the word subscription in the
subject of your message. If you requested a subscription before, you need
to reply again, because the old subscription list was deleted by MH.
Back Issues
~~~~~~~~~~
Back issues of Informatik are available via ftp at ftp.eff.org in the
/pub/cud/inform directory. The site also contains a plethora of other
electronic texts of interest to the "computer underground" community including
Phrack, NIA, PHUN, and the LOD tech journals.