+=============================================================================+ | ## ## ## ###### ###### ###### ### ### ###### ###### ## ## ## | | ## ### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## | | ## ## ### ##### ## ## ###### ## ## ###### ## ## #### | | ## ## ## ## ###### ## ## ## ## ## ## ## ## ## ## | +=============================================##==============================+ | Oct 31, 1992| | [ The Journal of Privileged Information ] | | | +-----------------------------------------------------------------------------+ | Issue 05 By: 'Above the Law' | +-----------------------------------------------------------------------------+ | | |Informatik--Bringing you all the information you should know... | | and a lot you shouldn't... | | | +=============================================================================+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *DISCLAIMER* Informatik Journal is printed for informational purposes only. We do not recommend or condone any illegal or fraudulent application of the information found in this electronic magazine. As such, we accept no liability for any criminal or civil disputes arising from said information. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - =========================================== ============== - CONTENTS - =============== ================ Issue 05 ================= ======= Release date Oct 31, 1992 ======== =========================================== 01) Issue #5 Introduction By: Informatik Staff 02) X-Mas Con 1992 Announcement By: DrunkFux 04) Locks and Physical Security By: Sterling 05) USSS Frequency Guide By: Miles Barkman 06) Cellular Update By: The US Congress 07) The HP3000's 'SECURITY/3000' system (part 3) By: Sterling 08) Informatik Submission & Subscription Policy By: Informatik Staff - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - /* Introduction */ Happy Halloween and welcome to the 5th issue of the Informatik Journal. Though still suffering the slings and arrows of higher education, we have again managed to crank out an issue. Unfortunately we are still having a very poor response to our call for submissions. Come on! Contribute it. Even if you aren't an expert, we can all benefit from a little research on your part. Just head on out to the local library, find something interesting, and research it into a nice, informative article. We welcome information on the government, radio, computer hacking, preaking, and anything else of interest to the "computer underground" crowd. Even if you are not a writer, we welcome any feedback you may have concerning informatik. Speaking of which, WE HAVE MOVED SHOP! Thanks to our pals in Pittsburgh, we now have a new home: (inform@grind.cheme.cmu.edu) All subscription requests, feedback, etc, should be sent to that address. The old address is no longer valid, so any correspondance to our previous address has long since entered the cyber void. The bulk of this issue (135k!!) is devoted to an article on Security Devices that is the most complete guide to locks, lockpicking, and security systems available to date. It should prove interesting to you all. In other news XMAS CON IS COMING! The whole staff of Informatik will be there, as will plenty of other interesting characters. Be there, its always interesting. Radio scanners need to check out the new collection of Secret Services frequencies and information on the latest, greatest cellular interception restrictions. And wrapping it up, we have the third and final part our series on The HP3000's 'SECURITY/3000' system. We've been asked to pass along that a bbs has been set up on 128.2.55.27 for those of you with internet access. Simply logon as bbs. Informatik staff currently consists of Sterling, and MackHammer (between naps), with additional assistance provided by Live0ne and Holistic. If you are interested in working with the staff, drop us a line. Enjoy, Informatik Staff - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [Updated Announcement - October 27, 1992] dFx International Digest and cDc - Cult Of The Dead Cow proudly present : The Third Annual X M A S C O N AKA H 0 H 0 C O N "WE KAN'T BE ST0PPED!" Who: All Hackers, Journalists, Security Personnel, Federal Agents, Lawyers, Authors and Other Interested Parties. Where: Allen Park Inn 2121 Allen Parkway Houston, Texas 77019 U.S.A. Tel: (800) 231-6310 Hou: (713) 521-9321 Fax: (713) 521-9321, Ext. 350 When: Friday December 18 through Sunday December 20, 1992 HoJo's Says NoNo To HoHo ~~~~~~~~~~~~~~~~~~~~~~~~ HAY!^@!*%!$1#&! We beat our own record! This year, thanks to one certain person's complete stupidity and ignorance, we managed to get kicked out of our first chosen hotel four months in advance. Needless to say, this caused some serious confusion for those who called to make reservations and were told the conference had been canceled. Well ... it hasn't been. The story is long, but if you wish to read exactly what happened, check out CuD 4.45. The conference dates are still the same, but the hotel has changed since what was originally reported in the first update, which made it's way throughout Usenet and numerous other places, including CuD 4.40. If you haven't heard about the new location, please make a note of the information listed above. What Exactly Is HoHoCon? ~~~~~~~~~~~~~~~~~~~~~~~~ HoHoCon is something you have to experience to truly understand. It is the largest annual gathering of those in, related to, or wishing to know more about the computer underground (or those just looking for another excuse to party). Attendees generally include some of the most notable members of the "hacking/telecom" community, journalists, authors, security professionals, lawyers, and a host of others. Last year's speakers ranged from Bruce Sterling to Chris Goggans and Scot Chasin of Comsec/LoD. The conference is also one of the very few that is completely open to the public and we encourage anyone who is interested to attend. Or, as Jim Thomas put it in CuD 4.45: "For the past few years, a conference called "XmasCon" (or HoHoCon) has been held in Texas in December. As reported previously (CuD #4.40), it will be held again this year from 18-21 December. For those unfamiliar with it, XmasCon is a national meeting of curious computer aficionados, journalists, scholars, computer professionals, and others, who meet for three days and do what people do at other conferences: Discuss common interests and relax." Hotel Information ~~~~~~~~~~~~~~~~~ The Allen Park Inn is located along Buffalo Bayou and is approximately three minutes away from downtown Houston. The HoHoCon group room rates are $49.00 plus tax (15%) per night, your choice of either single or double. As usual, when making reservations you will need to tell the hotel you are with the HoHoCon Conference to receive the group rate. Unlike our previously chosen joke of a hotel, the Allen Park Inn is not situated next to an airport and this may cause a small inconvenience for those of you who will be flying to the conference. The hotel is centrally located so you can fly in to either Intercontinental or Hobby airport but we are recommending Hobby as it is 15 miles closer and much easier to get to from the hotel. Here's where it may get a little confusing: If you arrive at Hobby, you will need to take the Downtown Hyatt Airport Shuttle to the Hyatt, which departs every 30 minutes and will cost you $6.00. When you get to the Hyatt, get out of the shuttle with your luggage (for those who may not of figured that out yet) and use any of the nearby payphones to call the Allen Park Inn (521-9321) and tell them you need a ride. It's just like calling Mom when you need a ride home from glee club! The hotel shuttle will be around shortly to pick you up and take you to the aforementioned elite meeting place, and that ride is free. If all this is too much for you, you can always take a cab directly to the hotel which will run you about $20. If you arrive at Intercontinental, you will need to board the Airport Express bus and take it to the Downtown Hyatt ($9). Once there, just follow the same instructions listed above. We are in the process of trying to get the hotel to provide constant airport transportation during the conference, but they've yet to give us a definite answer. It is quite possible that we will have our own shuttle to bus people between the airports and hotel, so if you'd prefer a faster and more direct method of transportation, it would be helpful to mail and let us know what time you'll be arriving and at what airport. This will give us a chance to coordinate things more efficiently. Check-in is 3:00 p.m. and check-out is 12:00 noon. Earlier check-in is available if there are unoccupied rooms ready. Free local calls are provided, so bring dem 'puterz. I don't know if cable is free also, so those who wish to rekindle the memories of yesteryear may want to bring their screwdrivers. The hotel has both 24 hour room service, and a 24 hour restaurant, The Nashville Room. Call it a wacky coincidence, but the hotel bar is called the ATI room and like most of Houston's similar establishments, closes at 2 a.m. Good thing Tony still works at Spec's ... This time around, the hotel is placing the conference guests in the rooms surrounding the courtyard/pool area. We are once again encouraging people to make their reservations as soon as possible for two reasons -- first, we were told that if you wait too long and the courtyard rooms are all taken, there is a chance that you'll be situated at the complete opposite end of the hotel, which isn't so bad if you don't mind walking all that way back and forth outside in December. Secondly, there is no other hotel exactly next door to this one (the closest is about five minutes away or so), so if for some odd reason all the rooms get rented, you'll get to do some nifty traveling every night. Directions ~~~~~~~~~~ For those of you who will be driving to the conference, the following is a list of directions on how to get to the hotel from most of Houston's major freeways that bring traffic in from out of town: I-45 North or South: Exit Allen Parkway on the inside (left side) of the freeway. Take the Studemont/Montrose exit off Allen Parkway, then make a u-turn at the bridge and head back towards downtown. The hotel will be on the right hand side. 290: Take 290 to 610 South, then take I-10 East towards downtown. Exit Studemont. Right on Studemont, left on Allen Parkway. The hotel will be on the right hand side. I-10 West: Exit Studemont. Right on Studemont, left on Allen Parkway. The hotel will be on the right hand side. I-10 East: Take I-10 East to I-45 South and follow the same directions from I-45 listed above. I-59 North or South: Take I-59 to I-45 North and follow the same directions from I-45 listed above. Call the hotel if these aren't complete enough or if you need additional information. Conference Details ~~~~~~~~~~~~~~~~~~ HoHoCon will last three days, with the actual conference being held on Saturday, December 19 in the Hermitage Room, starting at 11:00 a.m. and continuing until 5 p.m. or earlier depending on the number of speakers. We are still in the planning stages at the moment, primarily due to time lost in finding a new hotel and getting contracts signed. We have a number of speakers confirmed (yes, Goggans will be speaking again) and will try to finalize the list and include it in the next update. We are definitely still looking for people to speak and welcome diverse topics (except for "The wonders and joys of ANSI, and how it changed my life"). If you're interested in rattling away, please contact us as soon as possible and let us know who you are, who you represent (if anyone), the topic you wish to speak on, a rough estimate of how long you will need, and whether or not you will be needing any audio-visual aids. We would like to have people bring interesting items and videos again this year. If you have anything you think people would enjoy having the chance to see, please let us know ahead of time, and tell us if you will need any help getting it to the conference. If all else fails, just bring it to the con and give it to us when you arrive. We will also include a list of items and videos that will be present in a future update. If anyone requires any additional information, needs to ask any questions, wants to RSVP, or would like to be added to the mailing list to receive the HoHoCon updates, you may mail us at: dfx@nuchat.sccsi.com drunkfux@freeside.com drunkfux@ashpool.freeside.com 359@7354 (WWIV Net) or via sluggo mail at: Freeside Data Network Attn: HoHoCon/dFx 11504 Hughes Road Suite 124 Houston, Texas 77089 We also have a VMB which includes all the conference information and is probably the fastest way to get updated reports. The number is: 713-866-4884 You may also download any of the conference announcements and related materials by calling 713-492-2783 and using the username "unix", which is unpassworded. The files will be in the "hohocon" directory. Type "biscuit" if you wish to gain an account on the system. You can find us there too. Conference information and updates will most likely also be found in most computer underground related publications, including CuD, Informatik, NIA, Mondo 2000, 2600, Phrack, World View, etc. We completely encourage people to use, reprint, and distribute any information in this file. Stupid Ending Statement To Make Us Look Good ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HoHoCon '92 will be a priceless learning experience for professionals (yeah, right) and gives journalists a chance to gather information and ideas direct from the source. It is also one of the very few times when all the members of the computer underground can come together for a realistic purpose. We urge people not to miss out on an event of this caliber, which doesn't happen very often. If you've ever wanted to meet some of the most famous people from the hacking community, this may be your one and only chance. Don't wait to read about it in all the magazines and then wish you had been there, make your plans to attend now! Be a part of what we hope to be our largest and greatest conference ever. Remember, to make your reservations, call (800) 231-6310 and tell them you're with HoHoCon. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ********************************************* ********************************************* ** ** * Locks and Physical Security Devices * * * * by Sterling * ** ** ********************************************* ********************************************* Introduction ------------ Ever since man has had something worth keeping, he has devised ways to protect it. The Egyptians were the first to develop a working lock of any complexity. It was based on a flat, wooden "key" with a series of raised pins that enable the user to slide back a wooden bolt that protected the door from entry. Advances in metallurgy eventually brought forth locks of iron. As locks became more complex, the great medieval locksmiths' guilds carefully guarded their secrets. Restrictions forbid the guild's members from discussing the relatively simple inner workings of locks for fear of losing their power. By protecting their secrets, the locksmiths were able to exploit their unique skills, charging outlandish sums for their services. The same principles apply today. That is why a locksmith can charge you $60 to come and unlock the door to your house. Americans spend millions each year on security systems to protect their property. Often this money is wasted on devices that really provide only limited protection. In this text I would like to expose how locks and security systems work, and how you can bypass them if needed. It is easy to lose faith in the common door lock once you understand its simple operation. It took me less than a week with my lock picks before I could open my front door. Any first timer can open a desk or filing cabinet after achieving a basic understanding of the principles of modern locks. Hopefully this article will expose to more people just how unsecure locks can be, and with practice you should be able to pick your way into your house should the need arise. The content of the article comes from a wide variety of sources. Personal experience, excerpts and summaries from the "alt.locksmithing" newsgroup, and from locksmithing and lockpicking books. Special thanks goes out to *Hobbit* for his simplex and hotel lock articles. There are several types of locks that you are likely to encounter. These locks are easy to spot and identify what you know what to look for. Here I will discuss everything from the seldom used "warded lock" to alarm systems. Table of Contents: ------------------ Key Operated Locks Latches The Warded Lock The Lever Lock The Wafer (Disc) Tumbler Lock The Pin Tumbler Lock Tubular Cylinder Locks Lockpicking Tools The Basic Picks Making Your Own Picks Purchasing Picks Attitude and Tips for Success Other Security Devices Combination Locks Magnetic Locks Simplex Locks Automotive Protection Systems The Marlock System VingCard Locks Electronic Hotel Card Locks Alarm Systems Type of Latches ~~~~~~~~~~~~~~~ The latch is a spring bolt that actually holds the door shut. This is in contrast to the deadbolt, that had NO spring, and must be manually engaged. There are two primary types of latches, the springlatch and the deadlatch. The springlatch is much more convenient, when the door is shut, the springlatch springs into place, locking the door shut. This is the type of latch found on most key-in-knob type door locks. The problem with the springlatch is that it is easily defeated by sliding a plastic card or thin knife and forcing it back. To prevent this, a latch guard can be installed. This is a device constructed from heavy steel folded lengthwise at a ninety degree angle or a T-bar shape. It is usually anywhere from six to twelve inches in length and is fastened to the edge of the door by bolts. The latch guard hides the latchbolt, and prevents any tampering with it. The deadlatch cannot be shoved open like the unprotected springlatch can. When the door is closed, the latch bolt is secure in the lock position and acts as a deadbolt (a bolt that is not spring loaded, and resists any end pressure). The deadlatch resembles a smaller, beveled bolt projecting from the latchbolt. On some designs, the deadlatch takes the shape of an additional bolt, somewhat smaller, and usually placed higher up on the lock body. A key or interior locking mechanism must be used to engage the deadlatch and lock the door. The Warded Lock ~~~~~~~~~~~~~~~ The warded lock's basic design was created by the ancient Romans. The basic principle behind its operation is a series of "wards" (projecting obstructions) that prevent all but the proper cut key from being rotated inside the lock. These obstructions have been placed in the path of the turning of the bit portion of the key. This type of lock utilizes a key that has been notched in a way that it clears all the wards, but is still able to turn the bolt. These locks are easy to recognize. They are the "classic" antique lock that you may still find in old houses. _______ blade (stem) ##### handle (bow) / \ ######## | | ################################# ## \ / ################################# ## | | #### ### ######## / \ #### ### ##### / \ #### / \ bit a warded key for a two-ward lock /___________\ warded key lock entrance The number of wards in the lock can vary, but normally two is the minimum. When a user inserts a key into the warded lock, the metal obstructions inside the lock allow only the proper key to be inserted. The key bittings allow the key to turn in a circular motion, opening the lock through one of four different mechanisms: 1) The key lifts a detent lever while throwing the bolt, providing deadbolt action. (Deadbolt action means that the bolt is secure against end pressure.) 2) The key moves a bolt whose locked or unlocked position is maintained by the action of a humped flat spring in two notches on the bolt. 3) The key moves directly against the latch tail of a latchbolt, or does so through the action of a floating lever. 4) The key inserts between two springs and wedges them apart as it is turned. (Usually only in warded padlocks) Picking These locks offer only token security to the user. Besides being easy to circumvent, the warded locks offers only about fifty alternate keying combinations. Picking them is generally regarded as trivial. All that is required is to bypass the wards and move the bolt into the unlocked position. This can be accomplished by using a pick known as a "buttonhook". To make your own buttonhook pick, use a pair of pliers to bend a six inch section of coat hanger into a warded key shape as below: ######## ### ## ################################# ## # ## ## ### ## # ##### The wire should be thin enough to pass into the keyway while avoiding all the wards, but stiff enough that it can still manipulate the bolt to open the lock. Though you may have to make a "large" and a "small" warded lock pick, the same principle applies. The Lever Lock ~~~~~~~~~~~~~~ Robert Barron invented the lever lock in 1778. This constituted a considerable improvement over the ancient warded lock. It was based on a series of several "levers" that must each be raised to their own set height. If a particular lever was lifted to high or not enough, then the lock would not open. When the proper key is inserted, the notches on the key raise all the lever tumblers the required distance, lining up all the gates, allowing the lock to be opened. Not only was this new lock much harder to pick, it offered up to ten billion possible keying combinations. (The amount of practical combinations is actually around fifty thousand) ##### __ ####### / \ ## ### #### ## ########### ## \ / ###### ####### ########### ## | | a lever or "lever tumbler" ########################### ## | | lock keyhole ####### |__| #### a lever tumbler lock key Since its design the lever tumbler lock has undergone numerous improvements. One of the is called the parautopic lock. The parautopic lock consisted of two sets of lever tumbler, where the first worked on the second. It also proved a plate that turned with the key so that one could not inspect the locks interior construction. Lever locks, though limited in use, can still be found today in some hospitals, suitcases, cabinets, fine furniture, and attache cases. Lever locks are also used on safe-deposit boxes, often with fifteen or more levers and sometimes requiring two keys. Picking Lever locks are a little harder to pick then the wafer and pin tumbler variety. In fact, the type of lever locks used on safe-deposit boxes are very difficult to pick indeed. To pick a lever lock requires that tension be placed against the deadbolt throughout the course of lifting one or more levers within the lock to the required alignment with the post. This requires the use of a "lever lock tension wrench" and a "hook" or "lifter" pick. [Picks are discussed later in the Lockpicking Tools section.] Insert the lever lock tension wrench (a bit different than a normal tension wrench) into the keyway, and exert torsional pressure. The long bit is the part you hold, the next bend runs to the bottom of the lock, and the final bend fits into the notch in the bolt. Unlike most other types of locks, the lever locks requires you to exert considerable pressure on the tension wrench while picking. Usually the lever springs provide enough force to cause the levers to drop back down once picked. Because of the greater pressure, lever locks may require a slightly thicker tension wrench then normal. Then insert the hook pick all the way into the lock. Locate the back lever and raise it gently until you FEEL or HEAR a slight "click". With the lever locks, the force required to push against the spring is substantially more than in other locks. Once it reaches the correct position, the gate will align with the post, and you should notice a slight "give" in the deadbolt, as there is now one less lever obstructing the lock from opening. You should note that once a lever has been picked, the amount of force required to lift that lever will be substantially less. Move on to the next lever by slightly withdrawing the pick and repeat the process. Each subsequent lever will require the use of slightly less tension then on the previous ones. Otherwise the increased tension could cause the lock to bind up. Once you have picked each individual lever, the lock should open. If it does not, then reinsert the pick (always maintaining tension with your wrench) and jiggle each lever slightly to ensure correct alignment. Each lever does not require very much lift. This is due to the fact that the maximum depth of the cut under any tumbler is no more than half the width of the key, and never more than two-thirds its width. You should therefore use a pick that does not have too much "hook" to it. The Wafer Tumbler Lock ~~~~~~~~~~~~~~~~~~~~~~ The wafer tumbler lock was developed as a low-cost lock that offered a reasonable degree of security to the owner. These locks are make up over one-fourth of all the locks in the world. The outside of the lock resembles the pin tumbler lock (yet to be discussed), but uses a much simpler mechanism. Wafer keyways usually have simple side ward indentions. The key is usually shorter than that of other locks, but equally broad. It may be cut on one or both sides. A two sided wafer lock is often called a "double wafer." The lock consists of four main parts. The plug housing, which contains the wafers and springs, the shell, the cam (locking bolt), and the retainer. The wafers are sometimes referred to as "discs" because their top and bottom are rounded to fit into the cylinder. Here is a diagram: 5 ___ 7 | ___ ||############## 1-> @| _ |_ ## ||## ## ## ## ## @||2||/ 6##||##4##3##2##1## <-keyway @||_|| ## ||## ## ## ## ## \|___| ___||############## 3 | \plug/ detail of a wafer tumbler cutaway side view 1) spring of a wafer lock 2) key slot 3) spring wing 1-4) spacings #1-4 5) cam (operates the bolt) 6) retainer (rear plug) 7) the shell (body of the lock) Each lock has a series of chambers in which the wafers rest. These spacing closest to the front of the lock is numbered with one, and their numbers increase toward the back of the lock. Picture a number of the wafers placed face-to-face in the plug's spacing chambers. Each wafer is equal in overall size, but the key slots are of varying height. A metal spring exerts pressure on the spring wing of each wafer, forcing its lower part into the shell's "locking grooves" which lets the lower portion hang about midway into the keyway. Looking into the lock, you should be able to see this. These wafers act to hold the plug and shell together, preventing the lock from turning. When the correct key is inserted, it goes through the key slots on each wafer, raising the wafers out of the locking groove. The key must have the appropriate depth of cut in each position to raise the wafer the correct amount. The depth of the key's cut (and the length of the wafer's key slot) is any one of five different depths. The shorter the top edge of the wafer's key slot, the lower the key cut depth value. For instance the number 1 slot (the slot that is the largest) would require the shallowest cut in the key. Normally lock manufacturers place a number four or five wafer near the keyhole to block the view of the back wafers. Also note that the same type of wafer may appear several times in the same lock. Above some brands of wafer tumbler lock you will see a small hole. When the lock has been unlocked, you can remove the entire lock plug by inserting a piece of stiff wire into this hole and depressing the retainer. Though nowhere near as secure as the pin tumbler lock, the wafer tumbler is a very popular, low cost lock. The lock is normally found on cheaper cabinets and desks, some padlocks, some automobile locks, locking handles, and trailer doors. Where more security is desired, the double wafer type is used, providing wafers on the top and bottom of the keyway. Picking Though harder to pick then the warded lock, the wafer lock is still easy to circumvent. This is an excellent lock to practice on because the techniques required to pick it are applicable to the pin tumbler lock as well. Like the lever lock, picking the wafer tumbler lock requires use of a tension wrench and a pick. A variety of the different picks can be used including the rake, the hook, the half-diamond, and the half-round pick. Selection depends on the size of the lock, the distance between each wafer, and personal preference. Raking One of the most common methods of picking the wafer tumbler lock is by raking. To rake the lock, insert the tension wrench is inserted just inside the keyway, stopping short of the first wafer, and flush with the bottom of the keyway. Apply moderate tension to the wrench. If you apply too much tension the wafers will bind and not be able to move into alignment. Once you have the tension wrench in place, insert either the rake or half-round pick into the keyway. Don't worry about feeling the tumblers, instead concentrate on applying uniform pressure to them as you move the rake in and out of the keyway in a scrubbing motion. This scrubbing motion should cause the wafers to lift into alignment as they are thrown up and down in their spacings. This method is usually quite effective on most wafer locks, and should always be tried first. Manipulating Individual Wafers If the lock does not respond to raking, you can try using the half-diamond pick to each wafer into alignment one-by-one. While maintaining light but consistent pressure with the tension wrench, use the pick to lift each wafer into alignment at the shear line, starting from the backmost tumbler. Once it reaches the proper alignment, you should feel or hear a slight "click" and the plug will turn ever so slightly, relieving a bit of pressure on the wrench. Continue one-by-one, working outward, until each tumbler has been aligned and the lock opens. Vibration Picking Often you can use a technique called vibration picking to open a wafer tumbler lock. This uses a tool known as a "snapper" pick or a "lockpick gun". [These are described in the Lockpicking Tools section of this article] To use the snapper pick maintain a light tension with the wrench and insert the tip of the pick into the keyway, just touching the bottom of the tumblers. Then use the thumb, which rests along the top edge of the pick to depress the top loop. Let the thumb slide off the compressed part of the pick, permitting it to snap back. It will then strike a light blow to the tumblers, popping them up until they are held in place at the shear line. Repeated snaps, while maintaining tension with the wrench, usually results in aligning all the tumblers, and thus opening the lock. The lockpick gun works automatically, with a trigger device that "snaps" its wire pick up in the keyway. Picking Double Wafer Locks Double Wafer locks are picked the same way as single wafer locks, but there two sides to the story. Not only must you align all the top wafers, but the bottom ones as well. You can purchase special designed tension wrenches with will let you then use a ball pick to pick both sets of wafers. Alternatively you can use a standard tension wrench in the center of the keyway, using a half diamond pick. Once you have picked one set, simply reverse the pick and pick the other. It may take a few tries before you are able to hold all the wafers in place. The Pin Tumbler Lock ~~~~~~~~~~~~~~~~~~~~ Pin tumbler locks are by far the most popular lock today. Over half of the locks in use are of the pin tumbler type. They look similar to the wafer tumbler lock, but can easy be distinguished by their round pins, visible in the keyhole. There operation is also similar to the wafer type, but is more costly and requires much stricter machining tolerances. Here are some diagrams: | | | |________________________________________ | | @ | | @ | | @ | | @ | | @ | | | @ | | @ | | @ | | @ | | @ | Tumbler springs | | @ | | @ | | @ | | @ | | @ | | | @ | 4 | @ | | @ | | @ | | @ | | | @ | ||~|| | @ | ||~|| ||~|| |___||~||___|| ||___||~||___|| ||___|| ||__ _ _ _ _ _ _Shearline \_ ||1|| 3 || || || || || || || | | \_|| ||___||~||___|| ||___||~||___||~| | |~| | | |~| | | | | | keyway |2| | | | | | | | | | Plug |_| |_| |_| |_| |_| | +-----------------------------------------+ | | | | The pin tumbler lock, cutaway side view (locked) 1) top pin 2) bottom pin 3) cylinder (top of plug) 4) shell | | | |________________________________________ | | @ | | @ | | @ | | @ | | @ | | | @ | | @ | | @ | | @ | | @ | Tumbler springs | | @ | | @ | | @ | | @ | | @ | | || || 4 || || || || || || || || | ||1|| || || || || || || || || |___|| ||_ _|| ||___|| ||___|| ||___|| ||__ _ _ _ _ _ _Shearline \_ ||~|| 3 ||~|| ||~|| ||~|| ||~| | \_||2||___|| ||___|| ||___|| ||___|| | | | | |_| | | | | | keyway |_| |_| |_| | Plug | +-----------------------------------------+ | | | | The pin tumbler lock, cutaway side view (unlocked) 1) top pin (drivers) 2) bottom pin (key pins) 3) cylinder (top of plug) 4) shell ___________________ ___________________ _/ @ \_ _/ @ \_ / @ 3 \ / @ 3 \ | @ | | | | | | | | | | |2| | | ____|2|____ | | ____|_|____ | | / |_| \ | | / | | \ | | | _| |_ 4 | | | | _|1|_ 4 | | | | / |1| \ | | | | / |_| \ | | | | | |_| | | | | | | | | | | | | | | | | | | | | | | | | 5 | | | | | | 5 | | | | | \_____/ | | | | \_____/ | | | | 6 | | | | 6 | | | \___________/ | | \___________/ | | 7 | | 7 | \_ _/ \_ _/ \___________________/ \___________________/ Locked Unlocked Pin Tumbler Lock (front) Pin Tumbler Lock (front) 1) bottom pin (key pins) 2) top pin (drivers) 3) tumbler spring 4) shear line 5) keyway 6) plug (cylinder) 7) shell OK, I will explain how the pin tumbler lock works, but you really should consider going to K-Mart and buying a cheap lock to take apart and study. In the lock's shell (main body) there is the keyway and three to eight (usually five) spacings drilled from the top of the lock into the keyway. This is similar in principle to the wafer lock. In each of theses spacings are two pins and a spring. The top pins are always the same length, while each bottom pins can each be any of ten different sizes (0-9). Note that the bottom pins have a rounded bottom, allowing for them to ride up the key easier. The spring forces the pin stack down so that the lower pin protrudes into the keyway. (The wedge slot keeps them from falling all the way to the bottom of the keyway) When the correct key is inserted, each pin stack is lifted according to how deep or shallow the key is cut in that corresponding location. To open the lock, the top of bottom pin (the point where the top and bottom pin meet) must line up with the lock plug and the shell (the shearline). When in this position, the lock is unlocked and the plug can rotate around, taking the bottom pin around with it. If any pin is raised too high, or not high enough, then that pin keeps the plug from turning inside the lock shell. Of course in the locked position, all the pins stop the plug from turning. These locks are used almost everywhere. The provide over a million possible combinations for a five pin lock, and billions for the eight pin. These are the standard door locks in most residential and commercial buildings. Often you will find pin tumbler locks with only three pins on cheap desks, some copy machines, and storage lockers. They offer a reasonable degree of security, but are far from tamper proof. Picking Picking the pin tumbler lock is based on the principle that slight imperfections exist in every lock. Every lock is machined to certain sets of tolerances, such as plus or minus .0002 inches. The closer the tolerance, the harder the lock is to pick, but the more expensive the machining costs. That is what makes one pin tumbler lock harder to pick than another. This variation in the lock's components means that in attempting to turn the plug in the lock without the proper key, one tumbler will be caught up and become tight before subsequent tumblers are. Therefore, when turning tension is applied to the plug with a tension wrench, and the tight tumbler is lifted with a pick, there will be either a clicking feel or a sudden relief in the tension the tumbler exerts on the pick. This relief of tension occurs when the pin is brought up even with the shear line. At this time, lifting can be stopped. Use a hook pick to lift each pin to its breaking point, starting with the pin that is bound (resisting) the tightest. Gently pry the pin up against the spring pressure until it breaks at the shear line. Care must be taken not to lift the pin too high, or it may become jammed in the upper chamber. It is often impossible to get this pin back down without releasing tension on the plug. A common problem is applying too much tension. A light touch should be used because too much pressure on the wrench not only makes it hard to feel any change in torsional pressure, but tends to bind all the pins, making picking order difficult to determine. The tension wrench needs only to provide a little torque so that the pins stay up once picked. Raking and Vibration picking You can also use the raking and vibration picking methods described in the section on wafer tumbler locks to pick pin tumblers. You can even use a combination of raking and pin picking. Simply rake the pins a few times, and then go back and pick any pins that the rake missed. You can use the hook pick to probe each pin. If the pin feels "springy" then it has not yet broke at the shear line. Another technique: Start picking at the back pin, the one furthest away from you as you face the keyway. The reason for this is relatively simple. The rear pin will be the last worn, and when you break it, the lock's plug will move the most it ever will for just one pin breaking. This will make it easier to pick the other pins, as the break between the inner and outer cylinders will be progressively held tight against the pin you are working, as you work the lock from rear to front. The reason the rear pin is least worn is that inserting a key "rakes" the pins up and down, wearing down their sides. The rear pin is raked only once per time the key is inserted, the pin in front of it is raked twice, and so on. Its not uncommon to see locks in which the front pin can not be picked before the rear ones. The reason was that it was worn down to the point that no amount of torsion would cause the inner plug to put any force against it. Consequently, it won't break. Rapping Sometimes you can use a form of vibration picking known as rapping to open a pin tumbler lock. A tension wrench is inserted into the keyway, and light to moderate tension is applied. At the same time, the face of the plug is struck sharply with a plastic mallet or hammer handle. The rapping forces the springs and pins to gravitate toward the force of the blows. Hopefully this vibrates the picks into their breaking positions. DO NOT HIT TOO HARD! Approach this method with caution. Practicing To learn how to pick pin tumbler locks, it is best to go to the store and buy a "practice" lock. Try to find either a KwikSet brand or a cheap Ilco lock cylinder. On top of the lock shell is a little sliding strip that covers the pin spacings. Carefully slide it out. you can then take out the spring, the top pin, and the bottom pin. Remove all but one the assemblies and replace the cover. Now you can practice on picking the lock with only one pin. When you become good at that, insert another stack of pins, and so on until you can pick the lock with all five pins in place. Spool Pins It is possible that in the course of picking a high security pin tumbler locks, the plug will turn a bit as if it were going to unlock, then stop. I will turn no more than 2 or 3 degrees around. This means you have encountered a spool pin. These are simply drivers, or key pins, or both that have had their center portions cut down to a smaller diameter. ______ |_ _| | | | | Lock body Note that any torsion applied to the ___| | | |____ cylinder will tend to catch the spooled ||____|| pins at their waists instead of at the | ____ | Cylinder break between the pins. This will ||_ _|| either prevent the pick from pushing | | | | the pin up if the top spool is caught, | | | | or it will prevent the pin from falling ___|| ||____ down, if the bottom spool is caught. | | \__/ Keyway spool pins With a hook pick, you'll be able to press up on each pin and feel the difference. When you have a spool pin caught across the shear line, gentle upward pressure will result in force in the opposite direction of the way you're turning. Determine which pins are spool pins and push up until the bottom of the pin (assuming it's a top pin) crosses the shear line. You might lose some previously picked pins, but just pick them again. Interlocking Pins Several manufacturers have designed high security locks involving angled and interlocking pins. Emhart makes a cylinder using angled cuts on the keys where the top and bottom pins actually interlock: +--------------+ | | | Top | | Pin | | | | | Interlocking Pins +-----+ +-----+ +---+ | | +---+ | | | | | | | +-+ | | +-+ | | | +-+ +-+ | | | | | | | | | | +------+ | | | +----------+ | | | | Bottom | | Pin | So the pins have to be turned to the correct angle in order for the pins to slide apart when you turn the plug. This also means that the cylinder has to be grooved to allow for the portion of the top pin sticking down, and the bottom of each key has notches in it so that it can turn more than 180 degrees. Tubular Cylinder Locks ~~~~~~~~~~~~~~~~~~~~~~ Tubular cylinder locks are widely accepted as the most secure locks you can get for a reasonable price. Tubular cylinder locks are the round type locks you find on most vending machines, ATMs, and the like. They are basically a pin tumbler lock where the pins are arranged on a circular plane. The key is a cylinder with cuts around its perimeter. When the key is inserted, each pin (whose faces are visible) is pushed in the corresponding depth and the plug can be turned. Picking Your best bet for picking these locks is to purchase a specially designed tubular cylinder pick. While it can be picked with conventional tools, it takes forever because you have to pick it three or four times to turn the plug the 120 to 180 degrees needed to unlock it. And what's worse is that the cylinder locks after each time you pick it -- every one-seventh of a turn! If you want to try it, here's how. If you don't have a tubular cylinder pick you will require a wrench that is .062 inches square on its end. Fit this into the groove of the tubular cylinder plug. Apply tension in a clockwise direction, then use a straight pin to push each pin down until it clicks into place. Proceed to the next pin, until all are picked and the plug turns a few degrees. You will have to repeat this until it unlocks. Do not leave the locks halfway picked. If you do, even the original key will not be able to open the lock until it has been picked back into its original position. Good Luck! Lock Picking Tools ~~~~~~~~~~~~~~~~~~ The Basic Picks | _______________________________________| tension wrench This is the standard tool for pin and wafer tumbler locks. It is inserted in the bottom of the keyway to provide a torsional force to the lock cylinder. ______________________________________/| half-diamond pick The half-diamond pick can be used for raking or picking wafer tumbler locks, or picking pin tumbler locks where the distance between pins is small. ---------------------------------\/\/\/\ rake Not surprisingly, the rake (sometimes called a snake pick) is used to rake wafer and pin tumbler locks. . ______________________________________/ hook The hook (also known as the feeler or lifter pick) is normally used for picking pin and lever tumbler locks, but can be used on larger wafer locks. ______________________________________O O ball _____________________________________OO OO double ball The ball type picks are actually not as pronounced as they look here in the ascii diagram. Imagine a "ball" of a little less height, a bit more width. Though not essential, the ball picks can be used when attempting to rake a wafer-tumbler lock. Lever Tumbler Tension Wrench The big difference with a lever tumbler is in the method of applying torque. The cylinder, in models where it's visible, rotates freely--it does not operate the bolt. Rather, the end of the key goes into a notch in the bolt, directly operating it, just as in a warded lock. This means you need a different torsion wrench, that looks like this: _______ | | | | | | | | |__________________ Obtaining Lockpicks Now I'm sure that you are ready to start practicing. Unfortunately, locksmiths and the public in general seem reluctant to make picks an easy item to obtain. Therefore you can either make your own, (not that difficult) or obtain them from a commercial supplier (also not that difficult.) Making Your Own Picks You can file or grind picks out of spring steel. It is best to use spring steel - sources include hacksaw blades, piano (music) wire, clock springs, streetsweeper bristles (which can be found along the street after the sweeper has passed), etc. Or, go down to the auto parts store and buy a few stock lengths of .022 in. automobile feeler gauge. You can cut each one in thirds and make a pick from each piece. In a pinch safety pin steel, or even a bobby pin (much worse) can be used. Also try the metal band that holds a set of walkman type earphones together. It is already the perfect width and all you have to do is grind the indentations on it. It makes a really great heavy duty wrench also. You will need an electric grinder, or a grinding wheel mounted on a drill, to shape the picks. When grinding, keep the steel from getting so hot as to anneal (soften) it. You may have to re-harden or re-temper it. Temper the steel by repeatedly getting it red-hot against the grinder, then quenching it. What you get won't be feeler gauge and it won't be spring steel, but something in between that has some give to it and won't shatter. For a tension wrench, while you're at the grinder, take a medium-sized Allen wrench and grind its hexagonal head into a flat blade. Alternatively, you can use a small screwdriver, bent at the end. (Bending a screwdriver with any precision is pretty tough). Bobby pins also make an alright tension wrench, especially the larger ones. They work best if you cut them off and flame to red hot with a burner. Then while it's still hot twist it 180 deg with a pair of vicegrips or needle nose pliers, and bend down the end so it looks like the professional ones, this gives it more 'spring'. The flaming should be done, maybe 3/4ths of an inch from the end. Finally file and sand rough spots from where you cut it. If you take the finest or next to finest crochet hook they make and file down the sides of the business end of it so it will fit in the lock, you can make an excellent feeler pick. Picks from Paper Clips To open a lock with two paper clips, unbend one like this: ____________ / \ This shape is your lockpick, you \__________________________/ put the end with the little hook in the lock and use it to fiddle with the pins. Unbend and re-bend the other paperclip like this: ____________ / \ This shape is your torsion \______________________ wrench. You use it to put | torque on the lock cylinder. _| When the hook is in the cylinder the handle should hand off to the side and the final bend on the hook should be short enough that there is room to get the pick into the keyhole. Warning: Filing cabinets and desks are pretty easy to do with these, but it's not easy to do a door lock with them. Better materials really do help when you're dealing with more than 4 pins in a lock. Making a Pick Gun Get yourself a piece of music wire from the local hobby shop. Find wire that seems just a bit big for an average keyway. This will be ground down later so that it can be inserted. Wire of this diameter is so stiff you may doubt that you have the right size. But you need this stiffness for the device to work. Don't use wire that is too light. You want to bend a circle in the wire about 5 inches back from the end. You want enough length in the first straight part to go all the way into the keyway and leave enough to comfortably fit in your hand. Call this straight part Side A. Try bending the wire around the body of a Magic Marker; this seems to make a nice sized loop. The loop should be 360 + 180 degrees so that the long end of your wire is now parallel to side A. Let's be original and call this Side B. Use pliers to make a 90 degree bend in side B so that the end of it crosses side A. This bend should be located so that the part of side A which extends past the bent part of the wire is long enough to go all the way into the keyway. Hey, why don't we call this cross-piece Side C? Bend this cross-piece 180 degrees around side A so that it forms a slot for side A to slide up and down in. Call the wire segment which goes from A to B and is parallel to C, Side D. Snip off the end of side D which extends beyond side B. We now have an object which resembles a safety pin (hence the name) which has one side (side A) which slides up and down in a slot made by sides C and D and which is held in the bottom of this slot by the spring tension in the loop between sides A and B. Grind the sides of the piece which is to go in the keyway so it will fit. Grind the top of this piece flat. The Top is the side toward side B. This is the part which will be against the tumblers. Bevel the end so it will slide under the tumblers more easily. To use the gun, insert the end into the keyway with side B up. Press down on side B with your thumb to slide the slot C-D down. Let your thumb slip off the wire and the spring will pull side B back up. When the bottom of the C-D channel hits the bottom of side A, it delivers a sharp blow to the bottoms of the pins. Use VERY light pressure on the tension wrench and snap the gun a few times to knock the pins up to the shear line. See the section on wafer locks for a more information. Electric Vibration Picks The motor/base casing from a electric toothbrush, or vibrator makes a decent vibrator pick (pick gun) when you superglue a straight pick to it. Alot cheaper than the pro models, and generally smaller too. Purchasing Your Picks Generally picks are not sold over the counter. Your best bet is to order them from a mail order firm. Most firms will inquire as to your profession when making a purchase. They may not wish to sell them to you unless you are some sort of pubic safety personnel such as an EMT or a fireman. They are available from a variety of sources. Here are some of the most popular: ---------- Gall's Inc. (800)-477-7766 Catalog #BA ---------- Item # : ALS15B Price : $19.99 Name : 10-Piece Locksmith Pick Set "Be prepared for any lock-out. Nine picks and wrenches are grouped in a handy foldover carrying case that is small enough to carry in your pocket. Order you lock pick set and keep it handy for easy entry to any lock-out situation. Black." Item # : PG1B Price : $59.99 Name : Lock Pick Gun "Our trigger action lock pick gun opens doors easily. Just use it with the included picks and instructions -- with a little practice, you can smoothly open any locked house or apartment." ---------- Delta Press Ltd. (800)-852-4445 ---------- Item # : LPS-002 Price : $24.95 Name : The 8 Piece Tool Set "These high quality picks feature new lighter non-breakable plastic color coded handles. Picks are of .022 blue spring steel - hardened to perfection Eight piece set comes with handy see-through case." Item # : LPS-003 Price : $39.95 Name : The 11 Piece Tool Set "This deluxe 11 piece kit features all metal handles and comes in a discrete carrying case for undercover operatives. All picks are .022 blue spring steel and hardened to perfection." Item # : LPS-005 Price : $119.95 Name : The 60 Piece Tool Set "Here it is. The finest lockpick set we've stocked. It includes 60 picks, tension wrenches, and a broken key extractor plus a zippered top grain cowhide case and warded master keys." Item # : LPS-004 Price : $59.95 Name : Professional Locksmithing Tool "The famous lockaid Tool was designed for law enforcement agencies to quickly pick pin tumbler locks. The american-made product is the only superior "lock gun" available. Unlike conventional hand picks that activate only one or two cylinder pins, this tool is designed to span all the pins at once. The needle, powered by trigger action, strikes all t the cylinder bottom pins simultaneously. As the force is transferred to the upper pins, they momentarily rise in the chambers. Comes complete with 3 stainless steel needles and tension wrench." ---------- Phoenix Systems Inc. (303)-277-0305 ---------- "OUR LOCK PICKS ARE THE FINEST QUALITY PROFESSIONAL TOOLS AVAILABLE. Each pick is made of hard-finished clock-spring steel, tempered to the correct degree of hardness. Whether the subject is wafer tumbler locks or 6 & 7 pin tumbler locks, our picks are the best available, and the standard of the industry. With a few minutes of practice, even a beginner can open most padlocks, door locks and deadbolts. NOTE: BE SURE TO CHECK YOUR LOCAL, AND STATE ORDINANCES GOVERNING POSSESSION OF THESE TOOLS." Item # : 604 Price : $75.00 Name : Superior Pick Set "Hip pocket size in top grain leather case. Our most complete set. 32 picks, tension tools & extractors." Item # : 606 Price : $34.95 Name : Tyro Pick Set. "An excellent choice for the beginner. Cowhide leather case contains 9 picks, tension wrenches & key extractor." Item # : 607 Price : 9.95 Name : Warded Padlock Pick Set "This 5 piece padlock pick set is made of the finest blue tempered spring steel. This set will pick open most every warded padlock made today." Item # : 610 Price : $24.95 Name : Double Sided Tumbler Lock Picks "Set of 4 picks for use with double-sided, disc tumbler, showcase, cam and PADLOCKS. An excellent addition to your other pick sets." Item # : 617 Price : $39.95 Name : Padlock Shim Picks "Open padlocks in seconds! Our new Padlock Shim pick's unique design makes them so successful that it is frightening! Simply slide the shim down between the shackle and the lock housing, twist and the lock is open. Works best on laminated type padlocks (the most popular type) but will open ALMOST ANY TYPE OF PADLOCK -- INCLUDING THE POPULAR 3 NUMBER COMBINATION TYPE. Include 20 shims -- 5 each of the 4 most common shackle diameters for perfect fit every time. Comes with complete instructions." Item # : 618 Price : $34.95 Name : Schlage Wafer Pick Set "There are two types of Schlage wafer locks, each needing a different base key to pick with. This set comes with both types of base keys and the pick. With the proper base key the lock is already half picked. Very quick and easy to use. Comes with complete instructions. Item # : 620 Price : $59.95 Name : Pick Gun "Picks locks FAST. Open locks in less than 5 seconds. Specifically designed for tumbler locks. Insert pick into key slot, then just pull trigger. Throws all pins into position at one time. Lock is then turned with tension bar. Used extensively by police and other government agencies. Gun is spring loaded, with tension adjustment knob. Comes with 3 needle picks and tension bar. No batteries necessary. Life-time guarantee. Item # : 612 Price : $16.00 Name : The Slim Jim "Car door opener. The tool does not enter inside the car. Opens a car door by "feel" rather then sight. With a little practice, car opening will be no problem. For GM, Ford and Chrysler cars. Made of clock-spring steel and is hand finished." Item # : 613 Price : $16.00 Name : The Super Jim "This tool will open most GM, Ford and AMC car doors. Opener does not enter vehicle. Made wider and thicker, and is bright nickel plated. Faster openings on most domestic automobiles. With illustrated instructions." Item # : 614 Price : $19.95 Name : Houdini Car Door Opener "The latest and best innovations on car door openers. It works the same as your old Slim Jim, except it now folds neatly to fit in pocket or toolbox without getting in the way. ONLY 6 1/2 INCHES LONG WHEN FOLDED. Open up and snaps into place like a fold-up ruler, excellent stainless steel constructions with vinyl handle for comfort." Item # : 615 Price : $39.95 Name : Pro-Lok "Car Killer" Kit "Over the years we have had thousands of requests for a multi-vehicle opening kit. We are now able to offer the most complete kit that we have ever seen. This kit of tools will open over 135 automobiles, both domestic and foreign, on the road today. The opening procedure for each vehicle is diagrammed and explained in the instruction manual. Kit comes with complete instruction manual and gas cap pick tool." Item # : 600 Price : $129.95 Name : Tubular Lock Pick "This tool is an easy and reliable method for picking tubular locks, as found on commercial vending machines, washers, dryers, etc. This newest high tech design is much faster and easier to use than the old type that used rubber bands to hold the feeler picks. Internal neoprene "O" rings together with knurled collar provide a very simple and easy tension adjustment. Sturdy stainless steel construction provides for long-lasting service. This tool will, with a little practice, easily and quickly open any regular center-spaced tubular lock -- the most popular type of tubular lock on the market. Comes with complete instructions and leather carrying case." Tips for Success ~~~~~~~~~~~~~~~~ Following is information that will help you become more adept at manipulating locks. Solutions to common problems and general miscellaneous information that could prove useful is included. Determining the Direction of Rotation Before you can pick a tumbler type lock, you must determine the correct direction of rotation. It may sound like a trivial point, but who wants to waste hours trying to pick a lock the wrong direction. Though there will of course be exceptions, there are some general guidelines. Cylindrical locks, padlocks, file cabinet locks almost always turn in a clockwise direction or either direction to open. When confronted with a door lock, turn the plug so that the top of the keyhole turns toward the edge of the door. There is a notable exception here, Corbin and Russwin locks turn AWAY from the door edge. Tight or Dirty Locks If a lock seems exceptionally tight or dirty, it will be hard to break the pins. It may help to lubricate the lock. NEVER use a liquid type lubrication such as WD40, 3-in-1 oil, etc... Use powdered graphite, available in most hardware stores. It comes in a little tube, allowing a light squeeze to blow a puff of graphite into the keyway. If lubrication does not help, you may need to apply a little firmer hand on the tension wrench. Proper Attitude It is very important to maintain a confident attitude while you are learning to pick locks. If you feel nervous or stressed, it will only make things harder. You will not be able to pick every lock you come to, but with practice and patience, you may be surprised. Visualise what is happening inside the lock, this is the key. If you don't fully understand how a lock works and exactly what you are doing to it, you will not experience a high degree of success. Combination Locks ~~~~~~~~~~~~~~~~~ Combination locks work on a series of flat, round disks that have notches and pegs (one of each, one set per disk) along their circumference. Notches are referred to as "gates". The first tumbler determines the last digit of the combination, and is actually attached to the dial directly. As the dial is turned, the peg of the first tumbler catches on the middle tumbler's peg, dragging it along. As the dial is turned further, the middle tumbler latches on to the peg of the last tumbler, all three turning together. Turning all the tumblers is known as "clearing" the lock, and must be done before attempting to operate the lock. For the lock to open, the gate on each disk must align up with the pawl (breaking arm) of the bolt. Dialing the first digit of the combination aligns the last tumbler's gate to the pawl. Before dialing the second digit, the dial must be turned one complete turn in the opposite direction (assuming a three tumbler lock, twice for a four digit one). Rotating in the original direction to the last digit will align the first tumbler's gate, and the lock can open. Modern safe combination locks are impossible to crack (literally). Many innovations have given high quality locks this degree of security. Burglars learned to feel the gates and pegs rotate about the lock, allowing them to manipulate the tumblers into their proper position. To combat this, a searted front tumbler was designed to create shallow "false gates". The false gates are difficult to distinguish from the actual gates. To combat this problem, safe crackers would hook up a high speed drill to the dial. This would wear the tumblers edges smooth, eliminating the bothersome shallow gates. Still, despite their security, cheap combination locks are far from foolproof. Determining an Unknown Combination The most common and difficult to open of these small disk tumbler locks are the Master combination padlocks, and they are quite popular. With practice, they CAN be opened. The newer the lock is, though, the more difficult it will be to open at first. If the lock has had a lot of use, such as that on a locker-room door where the shackle gets pulled down and encounters the tumblers while the combination is being dialed, the serrated front tumblers will become smoothed down, allowing easier sensing of the tumblers. So, until you have become good at opening these locks, practice extensively on an old one. Here's how. Step One First, clear the tumblers by engaging all of them. This is done by turning the dial clockwise (sometimes these locks open more easily starting in the opposite direction) three to four times. Now bring your ear close to the lock and gently press the bottom back edge to the bony area just forward of your ear canal opening so that vibrations can be heard and felt. Slowly turn the dial in the opposite direction. As you turn, you will hear a very light click as each tumbler is picked up by the previous tumbler. This is the sound of the pickup pegs on each disk as they engage each other. Clear the tumblers again in a clockwise manner and proceed to step two. Step Two After you have cleared the tumblers, apply an upward pressure on the shackle of the padlock. Keeping your ear on the lock, try to hear the tumblers as they rub across the pawl; keep the dial rotating in a clockwise direction. You will hear two types of clicks, each with a subtle difference in pitch. The shallow, higher pitched clicks are the sound of the false gates on the first disk tumbler. Do not let them fool you-the real gates sound hollow and empty, almost nonexistent. When you feel a greater than normal relief in the shackle once every full turn, this is the gate of the first tumbler (last number dialed). This tumbler is connected directly to the dial as mentioned earlier. Ignore that sound for now. When you have aligned the other two tumblers, the last tumbler's sound will be drowned out by the sound of the shackle popping open. Step Three While continuing in a clockwise direction with the dial, listen carefully for the slight hollow sound of either one of the first two tumblers. Note on the dial face where these sounds are by either memorizing them or writing them down. Make certain that you do not take note of the driving tumbler (last number dialed). If you hear and feel only one hollow click (sounds like "dumpf"), chances are that the first number could be the same as the last one. You should have two numbers now. Let us say one of them is 12 and the other is 26. Clear the tumblers again just to be safe and stop at the number 12. Go counterclockwise one complete turn from 12. Continue until there is another "dumpf" sound. After the complete turn pass 12, if you feel and hear a louder than normal sound of a tumbler rubbing on the pawl, the first tumbler is properly aligned and the second tumbler is taking the brunt of the force from the shackle-you are on the right track. When the second tumbler has aligned in this case, you will feel a definite resistance with the last turn of the dial going clockwise. The final turn will automatically open the shackle of the lock. If none of these symptoms are evident, try starting with the number of the combination, 26, in the same way. Step Four If the lock still does not open, don't give up. Try searching for a different first number. Give it a good thirty or forty minute try. If you play with it long enough, it will eventually open. The more practice you have under your belt, the quicker you will be able to open these padlocks in the future. Using a stethoscope to increase audibility of the clicks is not out of the question when working on disk tumbler locks, though usually not needed for padlocks. A miniature wide-audio-range electronic stethoscope with a magnetic base for coupling a piezoelectric-type microphone is ideal for getting to know the tumblers better. Sesame Locks Another type of disk tumbler padlock is the Sesame lock made by the Corbin Lock Co. Its unique design makes it more difficult to open than Master padlocks, but it can be opened. Let's take one of the three or four wheel mechanisms, look at a cross section, and see how it works. The wheel has numbers from zero to nine. Attached to the wheel is a small cam. Both the wheel and cam turn on the shaft. Each wheel in this lock operates indepen- dently with its own cam and shaft. The locking dog is locked to the shackle. In this position the shackle cannot be opened. The locking dog operates with all three or four wheels. The locking dog is riding on the round edge of the cam. The spring is pushing up on the cam. The locking dog cannot move up because it is resting on the round part of the cam. When the wheel is turned to the proper combination number, the locking dog rests on the flat of the cam. The spring can then raise the locking dog to release the shackle, and this opens the lock. Magnetic Locks ~~~~~~~~~~~~~~ Magnetic locks are a recent innovation to the security world. Their basic operation involves the principle that like poles of a magnetic repel each other, while opposite poles repel. A magnetic lock then does not have pins, but magnets (which are often behind a plastic "roof" on the keyway). When all these magnets are in the "repelled" position, meaning a similar magnetic pole is below them, a lever arm releases the lock. A key then would have a magnet arrangement identical to that of the lock. These locks may be activated either by a flat, notchless key, or by use of a magnetic card, where in the lock actually uses a two dimensional arrangement of magnets. These are not too common, but can be found in some installations. Opening Magnetic Locks By using a pulsating electromagnetic field, you can cause the magnets in the lock to vibrate at thirty vibrations per second, thereby allowing it to open by applying constant tension to the bolt. You should be able to purchase one of these "picks" from a locksmith supply company. Unfortunately, this method usually ruins the properties of the lock's magnets, so use it in emergencies only. The magnetic pick can be used in padlocks by stroking it across the place where the key is placed. It is also designed to fit into a doorknob and is then used by stroking one pole in and out. Simplex 5-button combination locks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (*Hobbit*'s in-depth evaluation) This deals with the Simplex or Unican 5-button all-mechanical combination locks. They are usually used in a variety of secure but high-traffic applications, and come in a number of flavors: dead bolt, slam latch, lock switches for alarms, buttons in a circle or a vertical line, etc. The internal locking works are the same across all of these. Herein will be described the mechanical workings and a method of defeating the lock that falls out by logical inference and observations from playing with it. The internals Caveat: If this seems unclear at first, it is because the absolutely best way to understand the inner mysteries is to take a Simplex lock apart and study it. It is highly recommended that the reader obtain and disassemble one of the units while studying this; otherwise the following may be confusing. The locking mechanism box is swaged together at each end, but it is trivial to open up without destroying it. To set a lock up for study, remove the back, leaving the front plate held on by its Jesus clip. Put a spare thumb turn down over the shaft so you have something to grab. Take care not to lose the button connecting pins; they drop out. In the round configuration, the buttons talk via bent bars in the faceplate to the same vertical column as the straight ones. Thus all buttons henceforth shall be referred to as if they were in a straight vertical row, numbered 1 to 5 reading downward. The actual locking mechanism inside is a small metal box, about 3 inches high and .75 x .75 inch across the base. It contains five tumblers, one corresponding to each button, a common shift bar, and a couple of cams to handle reset and unlocking. The user dials the combination and turns the handle to the right to open the lock, or to the left to reset any dialed digits if he made a typo. If the proper combination has not been dialed yet, the shaft will not turn to the right. Setting a combination shall be described later. Some of the linear-style locks are actually made by Unican, but have the Simplex box inside. For these, a clockwise twist serves as both open and reset. There is a detent plate and a screwy lever system; if the lock is not open yet, the lever cannot turn to the *box*'s right. The detent slips, allows the levers to shift the other way, and the box arm is then turned to the left. If the detent does not slip, it's open, and the plate locks to the latch shaft and pulls it back. Each of the five tumblers has six possible positions. Each button does nothing but push its corresponding tumbler from the 0 position to the 1 position. Therefore, each button can only be used once, since once the tumbler has moved, the button has no further effect. The trick comes when *subsequent* buttons are pushed. Each button press not only shoves its tumbler from 0 to 1, it also advances any "enabled" tumblers one more step. When a tumbler is enabled, its corresponding gear has engaged the common bar and pushed it around one position, so the next button press will do this again, thus taking previously enabled tumblers around one more notch. This way, the further-in tumbler positions can be reached. It can be seen that there are undialable combinations; for instance, only *one* tumbler can reach position 5 for a valid combination [Positions labeled 0 thru 5, totalling six]. If one sits down and figures out possible places for the tumblers to go, many combinations are eliminated right away, so the number of possibilities is *not* 6^5 as one might expect. Two-at-once pushes are also valid, and are *not* the same as pushing the given two in some other order. Pushing two [or three or ...] at once simply enables two tumblers at once and shoves them to position 1 at the same time. [This of course leaves less buttons unused to push them in farther!] The tumblers themselves are small round chunks of metal, with gear teeth around the top half and a notch cut into the bottom edge. When all these notches line up with the locking bar, the lock is open. The tumblers are mounted on a vertical shaft so they can spin, with the locking bar fingers resting against the bottom of each one. The locking bar is prevented from rising if any notch is turned away from it. Juxtaposed to the tumblers is another shaft containing idler gears, which in turn talk to the common bar in the back. The intermediate shaft slides up and down and makes combination changes possible. Note: The buttons actually talk to the idler gears and not the tumblers themselves. This is necessary since during a combo change, the tumblers cannot move because the locking bar teeth are sitting in the notches. [Editor's note: Simplex locks are set at the factory with a default code of (2-4), 3. This is often not even changed.] Combination change, other random facts Once you know the current combination, you might want to change it. Instructions for doing this undoubtedly come with the lock; but it's real easy. There is a screw in the top with a hex hole; remove this from the lock body. Dial the proper combination, but don't move the handle. Press straight down through the hole with a small screwdriver, until you feel something go "thunk" downward. The lock is now in change mode. Reset the tumblers [leftward twist], enter your new combination, twist the handle as though opening the lock, and your change is now in effect. Re-insert the screw. This does the following: The thing you hit with the screwdriver pushes the tumblers down onto the locking bar [which is why the proper combination must be entered], and disengages them from their idler gears. Button presses turn the *idler* *gears* around, and then the opening action shoves the tumblers back up to mesh with these gears in their new positions. A subsequent reset mixes the tumblers up again to follow the new combination. This description is admittedly somewhat inadequate; the right thing to do is take one of the locks apart and see for one's self what exactly happens inside. The Unican model has a disk-locked screw on the rear side. Removing this reveals a round piece with a flat side. Twist this clockwise to enable change mode as in the above. This lock, of course, would be a little more secure against random people changing the combination for fun since you ostensibly need a key to get at it. Keep in mind that "reset" on these is done by turning the knob all the way *clockwise* instead. There is a linkage that ensures that the shaft inside goes counterclockwise for the time that change mode is enabled. It is amusing to hear local locksmiths call the Simplex internals a "computer". It would seem that none of them have taken one apart to see what is really inside; the box is painted black as far as they are concerned and non-openable. Obtaining one is the unquestionably best way to learn what's in there. Unfortunately they cost on the order of $120, a price which clearly takes advantage of the public's ignorance. These locks are *not* pick-proof after all, and anyone who maintains that they are is defrauding the customer. There are a variety of ways to increase the picking difficulty, to be discussed elsewhere. Your best bet is to borrow one from somewhere for an evening and spend the time learning its innards. Determining an unknown combination Contrary to what the marketing reps would have you believe, the locks can be opened fairly quickly without knowing the set combination and without damaging the lock. Through a blend of a soft touch, a little hard logic, and an implicit understanding of how the locking mechanism works, they generally yield within five minutes or so. [There are *always* exceptions...] This method requires that one does not think in terms of a sequence of button presses. One must think in terms of tumbler positions, and simply use the buttons to place tumblers where desired. For practical description purposes, it will be assumed that the buttons connect right to the tumblers, rather than the idler gears that they really do. The idler gears are a necessary part only during combination changes. Unless you are doing a change, considering it this way is pretty close to the facts. Remember that a 0 position means the button was never pushed, and 5 is enabled and shifted as far as possible. Turning the thumb handle to the right [clockwise] raises the locking bar against the tumblers. Since the lock is never machined perfectly, one or more tumblers will have more pressure on it than other ones, and this shows up as friction against it when it is turned via the button. This friction is felt in the short distance between fully-extended and the detent on the button [the first 2 or 3 mm of travel]. Some will travel easily to the detent, and others will resist efforts to push them in. Suppose you are twisting the handle, and tumbler 1 has lots of pressure on it [you can feel this when you try to push button 1 in]. When you back off the tension on the handle a little bit, the button can be pushed in against the resistance. The fact that the button has resistance at position 0 tells you that tumbler 1's proper position is *not* 0, or there would be no pressure if the notch was there! Upon pushing button 1 in, you find that no pressure has appeared at any other button. This eliminates position 1 for tumbler 1, also. Now, how do you get tumbler 1 to different positions so you can test for pressure against other ones? Push subsequent buttons. Push any other button, and tumbler 1 advances to position 2. Ignore what the other tumblers are doing for the moment. Now, perhaps another button has some resistance now. This means that tumbler 1 is either at the right position, or getting close. Basically you are using other tumblers to find out things about the one in question. [Keep in mind that the first one with friction won't *always* be tumbler 1! Any tumbler[s] could have the first pressure on them.] Continuing, push another "don't care" button. A "don't care" button is one that is not the one you're trying to evaluate, and not the one that recently showed some friction. What you want to do is advance tumbler 1 again without disturbing anything else. Did the pressure against your test tumbler get stronger, or disappear? If it got stronger, that points to an even higher probability that tumbler 1 is supposed to be at 3, rather than 2. If the pressure vanished or became less, 1 has gone too far, and you were safer with it at position 2. Let's assume that the pressure against your test tumbler increased slightly when tumbler 1 was at 2, increased even more when tumbler 1 was at 3 and vanished when you pushed it onward to 4. Reset the lock. You now know the proper position of tumbler 1 [that is, whatever tumbler first had pressure on it]. You've already drastically reduced the number of possible combinations, but you aren't finished yet. You can now eliminate positions for the next one or two tumblers the same way -- but to set things up so you can feel the pressure against these, you must ensure that your newly-known tumbler [1 in this case] is in its proper position. It is useful to make a little chart of the tumbler positions, and indicate the probabilities of correct positions. Positions 0 1 2 3 4 5 ---------------- 1 : L L + T L | <-- Indicates that tumbler 1 is not 0, not 1, maybe 2, more likely 3. Tumbler 2 : | | | | | | number 3 : | | | | | | 4 : L | | | | | <-- Indicates that tumbler 4 is not 0. 5 : | | | | | | This chart is simply a bunch of little vertical lines that you have drawn in a 5x6 matrix; the topmost row corresponds to button 1 and the lowest to 5. Mark the probabilities as little hash marks at the appropriate height. The leftmost bar indicates position 0, rightmost 5; a high mark on the left side indicates that the tumbler is 0, or is never used. The relative heights of your tick marks indicate the likelihood of the notch on the respective tumbler being there. If you don't know about a position, don't mark it yet. This chart serves as a useful mnemonic while learning this trick; as you gain experience you probably won't need it anymore if you can remember tumbler positions. A tumbler at the 0 position is already lined up before any buttons are pressed. This will feel like a lot of loose play with a little bit of pressure at the end of the travel, just before the enable detent. Be aware of this; often enough the first button with pressure can be a 0, and if you aren't watching for 0 positions you can easily assume it's a don't care, push it, and screw your chances of feeling others. Make sure your "don't care" test buttons aren't supposed to be at 0 either. It's a good idea to run through and try to find all the zeros first thing. Let us continue from the above. You have found that tumbler 1 is most likely to bet at position 3, with a slim chance of position 2. This is marked in the above chart. The reason this can happen is that the tops of the locking bar teeth are slightly rounded. When the tumbler is one away from its opening position, the locking bar can actually rise higher, since the notch is halfway over it already. So don't assume that the first increase in pressure on other buttons is the right position for the one you're finding out about. Let's assume that the next pressure showed up on button 4. You can feel this when tumbler 1 is at position 3; to get tumbler 1 out there, let's say you used the sequence 1,2,3. 2 and 3 were your "don't care" buttons used only to push 1 around. Therefore now, tumbler 1 is at position 3, 2 is at 2, and 3 is at 1. 5 and 4 are at 0, and can therefore be felt for pressure. The next step is to find the proper position for the next button with pressure against its tumbler. Many times you'll get more than one that exhibit pressure at the same time. Figure out which button has more pressure on it now with your first tumbler in the right position. In this example, only 4 applies. You now want to advance tumbler 4 to different places, *while* keeping 1 at its proper place. 1 must always advance to 3 to free the locking bar enough to press on other tumblers. To place tumbler 1 at position 3 and 4 at position 1, you would do something like 1,2,4 and check 3 and 5. To place tumbler 1 at position 3 and 4 at 2, you would do something like 1,4,2. To place 1 at 3 and 4 at 3, you have to press 1 and 4 at the same time, and then advance that mess by two positions. If you use 2 and 3 for this, the notation is (14),2,3, which means 1-with-4, then 2, then 3. You can also do 4,1,2,5 to put 4 at 4 and check 3. If all these tests fail, that is, no pressure appears at any other button, you can start assuming that 4 is supposed to be way out there at position 5. For the example, let's say you did 1,4,2 and pressure showed up on button 3. To double-check this, you did (14),2,5, and the pressure on 3 went away. So tumbler 4 must have gone too far that time. Place a fairly high tick mark on the chart at tumbler 4, position 2 to indicate the probability. Note: A better way to do that last test, to avoid ambiguity, is to do 1,(42),5 and check 3, then do (14),2,5 and check 3. This ensures that the only change you have made is to move tumbler 4 from 2 to 3 an avoids the possibility of movement of tumbler 2 giving bogus results. Through the entire process, you want to try to change one thing at a time at every point. Sometimes one of this sort of possible test setup won't tell you anything and you have to try another one [in this case, perhaps 1,(45),2 and then (14),5,2 while checking 3. This has simply swapped the positions of 2 and 5 during your testing]. You now know two tumbler positions, with a high degree of confidence, and have further reduced the possible combinations. From here, you could mix tumblers 2,3 and 5 into the sequence with various permutations, as long as you place 1 and 4 correctly every time. This would still take some time and brain work ... let's try to find out something about some other buttons. Place 1 and 4 where they're supposed to go ... the sequence 1,4,2 will do it, and see what's up with the other buttons. 1,4,3 will leave 2 and 5 available. You find eventually that 2 and 3 have the next bit of pressure distributed between them [and are nonzero], and 5 feels like a 0, as described above. To confirm this, advance 5 along with some other button and check 3. Bingo: There is no pressure on 2 when 5 is enabled [and you have not changed anything else besides 5's position], so you can firmly decide that 5 is 0 after all. So leave it there. [You did this by advancing 1 to 3 and 4 to 2, as usual, so you can feel 2's pressure in the first place.] By now you should know the proper positions of three of the tumblers, and have eliminated any other zeros by feeling their initial pressure. Now, since 2 and 3 have the next pressure on them, try and find out more about them. You know they aren't zero; suppose we try 1? To do this you must get one of them to 1, 1 to 3 as usual, 4 to 2, and leave 5 alone. How? Use hitherto unknown buttons as dummies to position the tumblers right. For instance, the sequence 1,4,3 will do what you want here; you then check pressure on 2. Or 1,4,2 and check 3. Here you may notice that the pressure on the leftover is a *little* stronger than before, but not enough to make any sure judgement. Well, now you want to advance an unknown to position 2 - but you suddenly notice that if you do [by doing something like 1,(42),3] there are no free buttons left to test for pressure! 'Tis time to try possibilities. Your only unknowns are 2 and 3 now. You must now advance 1 and 4 to their proper positions, leaving 5 alone, while sprinkling the unknowns around in the sequence in different permutations. Use your chart to remember where the known tumblers must go. Sometimes you get two possibilities for a tumbler; you must work this into the permutations also. In this particular example, you know that either 2 or 3 [or both!] must be the last button[s] pressed, since *something* has to get pressed after 4 to advance 4 to position 2. An obvious thing to try is putting both the unknowns at position 1 by doing 1,4,(23). Try the handle to see if it's open. No? Okay, now leave one of the unknowns down at 1 and mix the other one around. For instance, for 2 at 1 and 3 at 2, you do 1,(34),2 -- nope. Advance 3 one more; (13),4,2 *click* -- huh?? Oh, hey, it's *open*!! Well, when you are quite through dancing around the room, you should know that your further possibilities here ran as follows: 3,1,4,2 ; to end the permutations with 2 at 1 1,(24),3 ; and permutations involving 3 at 1. (12),4,3 2,1,4,3 One may see how things like 2,1,(34),x are eliminated by the fact that 1 must get to 3, and 5 must stay still. Since only 4 buttons could be used, no tumbler can get to position 5 in this particular combination. Note also that the farther *in* a tumbler has to go, the earlier its button was pressed. If all this seems confusing at first, go over it carefully and try to visualize what is happening inside the box and how you can feel that through the buttons. It is not very likely that you can set up your lock exactly as the example, since they are all slightly different. Substitute your first- pressure button for the 1 in this example. You may even have one that exhibits pressure against two or more tumblers initially. Just apply the differential-pressure idea the same way to find their most likely positions. The example is just that, to demonstrate how the method works. To really understand it, you'll have to set your lock up with some kind of combination, and apply the method to opening it while watching the works. Do this a few times until you understand what's going on in there, and then you'll be able to do it with the lock assembled, and then in your sleep, and then by just waving your hands and mumbling.... A 5-press combination makes life a little tougher, in that you lose versatility in your freedom of test positions, especially if your first- pressure tumbler is at position 5. Here you can use the "almost" feature to your advantage, and advance the errant tumbler to one before its proper spot, and hope to see increased pressure on other tumblers. When a tumbler is one away from right, the locking bar tab is hanging a large section of itself into the tumbler notch, and the tab's top is slightly rounded. So it can rise a little higher than before. If you twist the handle fairly hard, you can distort the locking bar slightly and make it rise higher [but don't twist it hard enough to break away the safety clutch in the shaft!] The chances of someone setting this sort of combination without prior knowledge about the *specific* lock are almost nonexistent. As if that wasn't enough, the next thing to deal with is the so-called "high-security" combinations involving half-pushes of buttons. The long initial travel of the tumbler permits this. If you look at your open mechanism and slowly push in a button, you'll see that the tumbler actually travels *two* positions before landing in the detent, and further motion is over one position per press. There is no inherently higher security in this kind of combination; it's just a trick used against the average person who wouldn't think of holding a button down while twisting the latch release. It's quite possible to defeat these also. When you are testing for pressure against a tumbler set at "one-half", you'll feel a kind of "drop-off" in which there is pressure initially, and then it disappears just before the detent. Before testing further buttons, you'll have to "half-enable" the appropriate "one-half" tumblers so the locking bar can rise past them. Set your lock up with a couple of combinations of this type and see how it works. Note that you must hold down the "half" buttons just before the detent click while setting or opening. This makes an effective 7 positions for each tumbler, but in a standard [no "halfs"] setup, it's effectively 6. This is Simplex's "high-security" trick that they normally only tell their high-dollar military customers about. After working the lock over for a while, it's intuitively obvious. The Unican type has no direct pressure direction of twist; if you turn too far to the right you only reset the tumblers. What you must do is hold the knob against the detent release just tight enough to press the locking bar against the tumblers inside the box but not hard enough to slip the detent. There is a fairly large torque margin to work with, so this is not difficult to do. Unicans do not twist to the left at all, so ignore that direction and work clockwise only. Possible fixes The obvious things improvements to make are to cut notches of some kind into the locking bar teeth and the tumblers, so that the pressure can't be as easily felt. Another way might be to have a slip joint on the locking bar that would release before a certain amount of pressure was developed against it, and thus never let the tumblers have enough pressure against them to feel. The future may see an improved design from Simplex, but the likelihood does not seem high. They did not seem interested in addressing the "problem". Automotive Protection Systems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are several types of locking devices found on cars today. Standard window locks, exterior locks, ignition locks, and the famous third party "club" type steering wheel locks. Wing or vent windows have several types of locking devices. The most common is simply a lever that turns to prevent the window from opening. Another type of wing window lock has a lever latch equipped with a plunger at the pivot of the latch. The plunger deadlocks the latch against rotation, unless the plunger is first pushed in and held until the initial stage of rotation has been accomplished. Naturally, these are a bit more secure. The most popular auto locks for the exterior and ignition are a derivative of the wafer tumbler locks called the "side-bar wafer lock." Side-bar wafer locks offer more protection then either the wafer tumbler or pin tumbler (of course they cost more.) When all of the tumblers have aligned to their breaking points, a spring-loaded bar falls into place, allowing the cylinder to turn. Ford auto locks are an exception, as they have pin tumbler locks. Club Type Locks One of the "club" type auto locks is an extensible bar that has opposing hooks that nominally wedge between spokes on the steering wheel. The bar itself is notched at 1" intervals or so. The key on these is rather impressive; it's a brass tube with at least three sets of chamfers drilled into their sides. Defeating Club Type Locks The weak part of these locks is not the keyway; it's the extensible bar. The notches provide built-in weak spots. The lock can be forced in about three seconds. Do as follows (it helps to be relatively strong): 1) Put on weightlifting gloves. 2) slide driver's seat all the way back. 3) tilt driver's seat all the way down. 4) tilt steering wheel all the way down. 5) put your feet on ends of "club" (past the rim of the steering wheel) 6) grasp center of the notched extension bar. Don't interlace fingers, just grab with your dominant hand and then grab over that hand in the other direction with the other hand. 7) Take a deep breath 8) While smoothly exhaling, hold on tight with your hands and straighten your legs. (classic leg press -- even Joe Average can exert twice his body weight in this mode.) 9) "Club" will conveniently bend into a horseshoe or shatter at a convenient notch, depending on the mood of the guy running the tempering furnace. This is why you wear weightlifting gloves while doing this trick- it keeps the steel fragments from cutting you. There is another "club" that has a collar that wraps around a segment of the steering wheel; these cost more, are much less common, and the above technique does not work for them. However, you can hacksaw the wheel in one place and "spring" the wheel enough to allow the collar to pop off the wheel. Bend the wheel back, add some tinted epoxy, and you're clean. Auto Alarms More and more, people are using auto alarms to try to protect their vehicles. Unfortunately, if somebody wants to steal your car, they will. No amount of protection will prevent this. The strategy behind an auto alarm is to make your car more of a pain to steal then somebody elses. Here are the basics of car alarms. The Brain The main alarm unit, sometimes called the "brain", is mounted in the most secure place that can be found. Up inside the dashboard for instance. They basically took the whole dash apart, install the alarm, and then put the whole dash together around it. Some places install the brain under a seat or even up under the carpet on the passenger side ("so they can adjust it easier"). This is incredibly stupid. Starter Kill Basically, when the alarm is armed, the starter is electronically disconnected so the car cannot be started or even hot wired. Most alarms have this as a standard feature. Valet switches This is a toggle switch that can be set to keep the alarm from going off if the owner has to leave it with a valet or for car repairs. Most of the systems have this feature. Passive vs Active Arming With passive arming, the alarm becomes armed after a given time period after the last car door has closed. To disarm, you can either get in to the car and place the key in the ignition within a certain time period or press a button on a remote transmitter to disarm the alarm. With active arming, you have to press a button on a transmitter to arm the alarm. To disarm, you press the transmitter button again. Arming and Disarming beeps Most alarms give you an audible alert when the alarm is armed or disarmed. This serves two purposes. One is to let you know the alarm is working and on the job. The other is to let others know the car has an alarm. Motion Sensors Some alarms like the UNGO box and others have a motion sensor. In the UNGO Box's case, it is a tube filled with mercury surrounded by a wire coil. When the car moves, the mercury moves within the tube causing current to flow in the coil. This is what sets the alarm off. Other have some type of spring with a weight on it so when the car moves, the weight bobbles back and forth and makes contact with the casing causing the circuit to be completed. The former method has a patent, the latter has no patent because it is worthless. If you have ever heard a parking lot full of alarms going off at an airport or a parking deck, it is because of this type of sensor. These are prone to false alarms from passing trucks, thunder, airplanes, etc. The UNGO Box's sensor is highly adjustable, however, if you adjust it to eliminate all false alarms, then you have basically disabled its usefulness for triggering real alarms. Shock Sensor This is what comes standard on most alarms. It basically senses motion like a motion sensor but scans a very short period of time. You can rock the car and push up and down on it and the shock sensor will not go off. If you kick a tire or hit the window or door with your fist, the alarm goes off. Glass Breakage Sensor What this is supposed to do is pick up on the particular high frequencies of glass being broken or cut and to trigger the alarm. It is basically a microphone placed somewhere inside the car. Field Motion Sensor (Perimeter Guard) Basically this is the type of sensor which sets up some type of field around the car and inside the car to detect masses coming close to the car. It is a must for convertible owners. These aren't as common as most other types because of the extremely high cost. There are many cheap ones available to add to any alarm, but they have nothing but problems with them (i.e. false alarms). Some Alpine systems are designed especially for this type of sensor and have a price tag to match. They are basically useless on hard top cars. Some cheap units are set off by anything. There is a car parked right outside of my classroom which is always being set off by falling rain and passers by. Very annoying. There are other fancy alarms which have a pre- recorded message like "Please step away from the car ...". These are really stupid and a waste of money. I heard of a new BMW being tortured by a group of kids throwing rocks at it just to hear the little voice go off. Current sensor This basically monitors the current drain on the battery. If it changes, i.e. a door is opened causing a light to come on, the alarm is triggered. This is how many cheap alarms are triggered. They just monitor the current. The doors and trunk are all protected because they have lights which will come on when opened. The problem is, most newer cars have a fan inside the engine compartment which comes on even after the car is turned off. The resulting drain on the battery will trigger a current sensor. Seat pressure sensor If someone sits in the seat, the alarm is triggered. Not very practical unless on a convertible. By the time the thief is in your seat, your car or your stereo is history anyway. Backup Battery This is an emergency backup battery for the car alarm. It charges off of the car alternator just like the car's battery. If the car's battery goes dead or if the power cables are cut, the battery can still run the alarm and the siren. The alarm will remain armed. With cheaper alarms and/or poor installations, some systems might end up wired into the car in a haphazard way. Most alarms flash the car's parking lights when activated. All a thief has to do is short out a parking light, set your alarm off and whammo, your car and the alarm goes dead. Thief gets in, replaces the right fuses and off he goes. Automatic Door locks/Unlocks Another neat feature is automatic door locking. This is an option on most alarms. It uses what they call an "output" from the alarm which can be programmed to do various things. Most installers set this up so that when the alarm is armed, all doors lock and when the alarm is disarmed, all doors unlock. Pagers A pager (sometimes called Autopage) is used to page the owner's beeper when the car alarm goes off. This way they can run to the parking lot and chase a potential car thief away or catch the person who just rammed in to your car before they speed away. Pagers may also use up an "output" on the alarm unit. Some hook on to the siren and are triggered off of the vibration when the alarm goes off. Transmitters These of course are used to remotely turn the alarm on and off. It seems that with cheaper and/or older alarms, it is possible to transmit all of the codes in rapid fire sequence to a car alarm. Eventually, you will hit upon the right code combination to disarm the alarm. The average alarm has around 2 to the 29th codes which is not very many. Newer (and probably more expensive) alarms can sense this and lock out any further attempts for a given time period. The Marlock System ~~~~~~~~~~~~~~~~~~ The Marlock System uses a key consisting of a piece of metal with holes bored in it, and then covered up with strips of IR-invisible plastic. Thus, you can't see anything in the plastic, but IR in the keyhole reader can see thru just fine. It decodes this, sends it to a controller interface box, which sends it to a controller PC, which says "cool or uncool", and if cool, then the interface box sends power to the strike on the door, and turns the LED on the reader green. Each area that is to be accessed via Marlock must have some sort of reader device. This can be either a "keyhole" in the knob, a plate on the wall with the keyhole in it, or whatever. The reader is hooked up to a controller interface box. this box is locked with a really poor lock (like you'd have on your diskette box) and is located close to the area being secured, often in the ceiling. The controller interface box simply provides power for the reader, the little LED over the top of the reader, and the electric strike locking the door. The whole thing is controlled by an IBM PC with a reader keyhole mounted on the front of the PC which runs to an interface card inside the PC. To program a key into the system, one simply inserts it into the keyhole on the front of the PC, and then tells the program when and where this key can work. This is stored in its database, and recalled by the reader as needed. Also the PC keeps logs of when and where a key was used -- whether or not it worked! There are audit trails all over the place. If the power goes out, then whether or not the door opens is dependent upon the strike which was installed. IT can be either fail-safe (i.e. no power -- open!) or fail-secure (i.e. no power- lock!). However, for fire safety code requirements, companies often install it on the side of the door which allowed entry to a restricted area -- not exit. Some of the Marlock cylinders have a small brass spot in the middle of the LED. This is an emergency override. One would insert a marlock key, and use a 9V battery between the key and the pin to provide a signal to the interface controller to pop the strike. This may not still be the case however. Defeating the Marlock System Since there's an electric strike all you have to do is provide power to the strike so it'll release. This is usually 12-24 volts DC, and is easily obtained from some lantern batteries. The activation wires for the strike usually run down inside the door jamb from the controller interface box. And if you have access to the controller interface box, then just pick the lock on the front of it. The heavier wires are for the electric strike (the thin wires are from the reader). Then just apply power to the thing -- use jumper wires to get the power from the controller interface box... VingCards ~~~~~~~~~ These cards are used primarily by hotels, and our quite unique. The lock is a matrix of 32 pins which have two possible positions each [sort of like a vax...]. Two of these are special and aren't really used in the keying. The remaining 30 are constructed out of standard pin and driver parts, except that all the drivers are the same length and all the pins are the same length. The pin-driver combinations sit pointing upward [the springs are underneath] in a sort of matrix about 1.5 inches on a side. Above each pin-driver combination sits a steel ball. The entire matrix is enclosed in a *plastic* assembly, part of which can slide "forward" [i.e. away from the user]. Some of you may be familiar with the keys: white plastic cards about 3 inches long with a bunch of holes in one end. Pushing this into the slot until it "clicks" forward opens the locking mechanism. The lock combination is set by inserting a similar card, only half as long, into the *back* of the lock. This card is the same thickness as the opening card and has part of the hole matrix cut out. A juxtaposition of this combination card from the back and the key card from the front closes the matrix: i.e. if you overlay the combination and key cards in their opening configuration, there are no open holes left, *exclusively*: i.e. where there is a hole on the combination card there is solid on the key card, and vice versa. Thus the complement of the proper key card is the combination card. This is enforced by the placement of the ballbearings and pins in relation to the sliders and top plate, so a workaround like a card with all holes cut out or a solid card does not open the thing. The combination card slides in between the conical pin ends and the steel ballbearings [and is thus harder to push in than the key card]. The key card comes in over the balls, and its thickness pushes the balls under its solid regions downward. So each pin assembly is pushed down, when the lock is open, the same amount, be it by the key card hitting the ballbearing or the combination card wedging the actual pin downward. Clarification: Let us define a "1" pin as a hole in the opening card. Thus a "0" pin sits under a solid portion of the opening card and a hole in the combination card. A 0 pin opens as follows: Since the combination card lets the pin rise up against the steel ball, the keycard pushes the ball [and its pin] down to the bottom of the keycard slot. This brings that pin to its shear line. Simple. Here's the magic -- a 1 pin opens in the following fashion: Since the combination card is solid there, the steel ball is sitting directly on the combination card, and the pin underneath is *already* at its shear line. If a solid keycard portion arrives over this ball, the ball is pushed down against the combination card and *pushes the entire area of the combination card down under it*, lousing up not only that pin's shear line but probably a few around it. Although a clever mechanism, this depends on the elasticity of the combination card to work. Note that as the key card is inserted and removed, the combination card will be flexed up and down randomly until the keycard comes to rest at its opening position. [Correction to above: each pin really has *three* possible positions. Hmm.] All this happens within the confines of the sliding *plastic* frame; this part carries the two cards, the balls, and the top halves of the pins. The stationary part underneath this contains the drivers and springs. A metal plate bolts down on top of the sliding piece, leaving a gap just big enough for the key card. If the screws holding this plate were to become loose, the plate would rise up, the key card would sit too high up, and the lock would not open. All the positioning is done by the thickness of the keys while they rest against the surfaces of their slots. Therefore a piece of thin cardboard will not serve as a duplicate key. We found that two pieces of plastic "do not disturb" sign, cut identically and used together, were thick enough to position things correctly and open the lock. A rough top view: Pin mechanism: Back _ = top plate Front Back o o o o <> = balls ________________________________ o o o H = keycard HHHHHHHHHHHHH<>HHHHHHHHHH<>HHHHHH ## QQ o o o o O = comb. card --> QQ OOOOOOOO<>OOOOOOOOOOOOOOOOOOOOOO o o o # = slider QQ# [] [] [] ## QQ @ o o @ [] = pins QQ###[]####[]####[]################# o o o || = driver/ QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ o o o o spring asm QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ o o o Q = stationary QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ o o o o housing QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ Front It is hoped that the diagram on the right, with its three example pins, will show sufficiently that if two holes coincide the pin will rise too far, and if two solid places coincide, the entire combination card would be pushed down by the ballbearings. There is sufficient space underneath the combination card for it to sag down and foul the shear line; it is normally held upward by the pins' spring tension against the underside. This diagram may be misleading if it is not understood that the balls are actually larger than shown; i.e. the height of approximately three cards stacked up equals the diameter of the ballbearing. There is a thin layer of slider plastic between the keycard and the combination card, which separates them and retains the ballbearings. The @'s in the top view are the two magic pins. These prevent the lock from working at all unless a combination card is inserted. They are a bit thicker than the other pins and do not have ballbearing parts. The slider above the combination card slot here is solid, so these pins have nothing to do with the keycard. They simply hold the lock shut if no combination card is installed, regardless of what is done with a keycard. Therefore if one were to make a combination card that only pushed down these pins, a solid keycard would work. And if one inserts a solid combination card, the lock is already open before you insert anything. [This is a useful hack that will allow anyone to open the door with just about any tool, in case you are crashing lots of people in a room, don't have enough keys, and don't feel like making more. Naturally your security is compromised, but only those who know what's going on will be able to get in.] The slider has a bracket bolted on to it, which reaches down toward the doorknob and pushes a moveable sleeve with a square hole through it. This joins two sections of a three-section split shaft together, which allows the outside knob to retract the bolt. The inside knob is "hardwired" to the bolt action and always opens the door. The extra split in the shaft is so that with the card in place, the lock will still behave like a regular split-shaft knobset [and disable opening if the deadbolt is shot]. There is a hinged plastic door on the back [inside] of the lock, which is held shut with a screwdriver tab inside a slot. This is where the combination card goes, although this door exposes enough to see the entire slider mechanism [except for its inner works; the entire back must be taken off to get the slider out]. Now, the security evaluation: I see no clear way to "pick" it. The rear pins are hard to get at without touching the frontmost ones. However, this lock would be *very* easy to defeat, in the following fashion: A thin tool about the thickness of a keycard and about .2 inch wide can cover one column of ballbearings. If this tool is slowly slid straight into the slot along each column in turn, the resistance encountered as it contacts each ball indicates whether there is a hole or not underneath it in the combination card. The combination card presses upward against the ball more strongly than the pin's spring does, so this would allow one to map the combination card and then construct the keycard complement. This process wouldn't take very long. I therefore recommend that these locks be considered less than high-security. Furthermore, come to think of it, a small hole drilled in the front plate [which I doubt is hardened] would make it easy to frob the slider or split shaft. Electronic Hotel Card Locks ~~~~~~~~~~~~~~~~~~~~~~~~~~~ These are wonderful little microcomputer projects masquerading as door locks. Inside there's a processor running a program, with I/O leads going to things like the magnetic strip reader, or the infrared LEDs, and the solenoid, and the lights on the outside. They are powered entirely by a battery pack, and the circuitry is designed such that it draws almost nil power while idle. The cards are usually magnetic-strip or infrared. The former uses an oxide strip like a bank card, while the infrared card has a lot of holes punched in it. Since IR light passes through most kinds of paper, there is usually a thin layer of aluminum inside these cards. The nice thing about these systems is that the cards are generally expendable; the guest doesn't have to return them or worry about lost-key charges, the hotel can make them in quantity on the fly, and the combination changes for each new guest in a given room. The hotel therefore doesn't need a fulltime key shop, just a large supply of blank cards. Duplication isn't a problem either since the keys are invalidated so quickly. The controlling program basically reads your card, validates the number it contains against some memory, and optionally pulls a solenoid inside the lock mechanism allowing you to enter. The neat thing about them is that card changes are done automatically and unknowingly by the new incoming guest. The processor generates new card numbers using a pseudorandom sequence, so it is able to know the current valid combination, and the *next* one. A newly registered guest is given the *new* card, and when the lock sees that card instead of the current [i.e. old guest's] card, it chucks the current combination, moves the next one into the current one, and generates the new next. In addition there is a housekeeping combination that is common to all the locks on what's usually a floor, or other management-defined unit. There is no wire or radio connection to the hotel desk. The desk and the lock are kept in sync by the assumption that the lock won't ever see the "next" card until a new guest shows up. However if you go to the desk and claim to have lost your card, the new one they give you is often the "next" card instead. If you never use it and continue using your old card, the guest after you will have the wrong "next". In cases like this when the hotel's computer and the lock get out of sync, the management has to go up and reset the lock. This is probably done with a magic card that the lock always knows about [like in ROM], and tells it something akin to "use this next card I'm going to insert as the current combination". The pseudorandom sequence simply resumes from there and everything's fixed. If the lock loses power for some reason, its current memory will be lost but the magic "reset" card will work. Rumor has it that these locks always have a back-door means of defeating them, in case the logic fails. Needless to say, a given manufacturer's method is highly proprietary information. In theory the security of these things is very high against a "random guess" card since there are usually many bits involved in the combination, and of course there is no mechanical lock to be manipulated or picked. The robustness of the locking hardware itself sometimes leaves something to be desired, but of course a lock designed for a hotel door probably isn't the kind of thing you'd mount on your house. Security Alarm Systems ~~~~~~~~~~~~~~~~~~~~~~ Security alarm systems are becoming more and more common in the home and small business. They will become more and more popular in coming years as their prices continue to fall. There are basically two types of systems, the open circuit and closed circuit system. The Open Circuit System An open circuit system is composed of magnetic detectors or contacts that are "normally closed." That means that their contacts are separated when the door or window is in the normally closed position.When the door or window is opened, the contacts are released, causing them to close. This allows current to flow through the wires, and the alarm sounds. All the contacts and detectors are wired in parallel. This means that current flows ONLY when any contact or detector switch makes contact. Let me illustrate: switch is open switch is closed wire ----#############1############# ----#############1############# #############2#############--- #############2#############---- ########## wire ========================== | MAGNET | (Magnet has been removed) ========================== A Normally Closed Switch Assembly In the first figure, the "normally closed" switch assembly, which would be mounted about the door, is help open as the lower portion (#2) is pulled to the magnet which would be mounted on top of the door. The magnet has an attractive force greater than the force of a spring which normally holds the two parts of the switch closed. In this position, no current flows through the switch. In the second figure, the door would be open, and thus the magnet not aligned under the switch. Both halves of the switch have been returned to their "normal" position, closed, by the spring. The obvious disadvantage of an open circuit system is that it become inoperative if a transmission wire is cut, a contact or terminal wire becomes loose, or some similar condition. For this reason, circuit wiring for this type is often concealed. The vulnerability of the system is minimized by a test switch or key position which sends current through the main circuit wiring and reveals any line breaks. This test lights a small warning lamp on the main panel, bypassing the main alarm. This will only test the integrity of the circuit, not individual detectors. When the open circuit system is engaged, an alarm will occur immediately if any doors are windows have been left open. Of course the alarm will also sound anytime a door is used while the alarm is in operation. Many times a bypass switch will be placed next to frequently used access ways. This can be dangerous because someone can break a door or window pain, activate the bypass switch, and have free access to the entrance. The Closed Circuit System In a closed circuit security system, low amperage current continuously flows from the power source, throughout the detector switches, to the supervising relay (a type of switch) in the control panel. The detector switches are of the normally open type. This is the opposite of the normally closed type. The magnet holds the normally open switch assembly together, so current flows through the switch. When the magnet is removed, the switch springs open, and current ceases to flow throughout the circuit. The supervising relay monitors the current in the circuit, and should it be interrupted (by a door opening and causing a detector switch to open), it will activate the alarm buzzer, telephone dialer, siren, or whatever. Note that in the closed circuit system, any attempt to cut the wires would have the same effect as opening a detector switch. The current would be interrupted and the alarm would sound. This makes the closed circuit a much more secure system than the open circuit type. The closed circuit system requires more sophisticated equipment and the circuit installation must be precisely wired. Closed systems are also prone to more frequent false alarms. Security Alarm System Power Sources The current for most systems comes from battery, transformer, or a recharging pack. The recharging pack is a complete power supply providing 6-12 volts of power. This is enough to run several separate alarm circuits and even a six volt telephone dialer. It is usually equipped with nicad backup batteries in case of power failure. Magnetic Detectors I used the "Magnetic Detector" when explaining the closed and open circuit types of security systems. These are by far the most common type of detectors used. As discussed before, they are a two part assembly consisting of a magnet and a switch. Both are encased in a weatherproof plastic case. Tamper Switch or Plunger Contact Another popular type of detector is the tamper switch. It may be used on windows, alarm boxes, or control panels. It consists of a switch assembly with a spring loaded "plunger" protruding from one end. It is available in both the normally open and normally closed configurations. All-Purpose (Bullet) Detector This is a beveled button used primarily on doors or double-hung windows. The button is installed in the hinged side of the door frame, recessed into the frame. When the door is closed, the button is depressed. When opened, it of course pops out. Floor Mats Pressure sensitive mats wired with open or closed circuits to make or break contact when stepped upon are used as backup to perimeter security systems such as rear entrance doors. They can be placed under regular carpeting or loose rugs. Door and Window Traps These are basically "trip-wires" and aren't used too often. They do work well in areas where conventional detectors would not work, and are substantially cheaper than infrared. They can be placed in either a horizontal or vertical configuration. For open circuit systems, an insulated plug is placed between the contacts of the detector. When it is tripped, the plug is pulled out, causing the detector's switch to close. For a closed circuit system, one end of the trip wire is attached to one end of the switch, and the other end of the trip wire to the other half of the switch. This way current still flows in the circuit. When the wire is tripped, the circuit breaks. Photoelectric Systems Photoelectric systems transmit invisible pulse modulated beams from projector/transmitter to receiver. Interruption of the beam sets off the alarm. Although the system is designed primarily for interior used, military systems have been developed for use on the exterior, even in dense fog. Emergency Panic Button This permits an alarm to be activated by use of a pushbutton located near a front door, in a bedroom, or hidden under a counter. In a business, such a button could be used as a "holdup" button, silently summoning the police or activating the normal store alarm system. Automatic Telephone Dialer This is a device that will automatically call the appropriate telephone number and relay a prerecorded message. These devices are often used to contact the police, private security, or store officials. Of course, the system is at risk if the exterior phone wires are accessible. For this reason the phone wiring will be either incased in a steel sheath or wired for alarm. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------------------------------------------- --- US Secret Service Radio Frequencies --- -- -- - [From information gathered from Miles Barkman] - ---------------------------------------------------- President, Vice President, or other notable coming to town? Like to know whats going on? Here is a handy reference guide to some of the known frequencies used by the Secret Service. Should provide some interesting scanning for you radio jocks out there. Note: USSS=US Secret Service WHCA=White House Communications Agency Designation Frequency Primary Usage ------------------------------------------------------------------------------ Alpha 032.2300 MHz WHCA-Transportation 166.5125 MHz WHCA-Transportation Able 032.2300 MHz ??????????? 032.3200 MHz ??????????? Baker 165.7875 MHz USSS-Field Offices Charlie 165.3750 MHz USSS-Field Offices/Protection Delta 169.9250 MHz WHCA-Marine Security Detachment Echo 407.8500 MHz WHCA-SAM Uplink Foxtrot 415.7000 MHz WHCA-SAM Downlink Golf 166.4000 MHz USSS-Field Offices Hotel 167.9000 MHz WHCA-V.P. Staff/White House Garage 165.6875 MHz WHCA-V.P. Staff/White House Garage 166.2125 MHz WHCA-V.P. Staff/White House Garage India 407.9250 MHz USSS-Headquarters 166.2000 MHz USSS-Headquarters Juliett 170.0000 MHz USSS-Paging/Camp David Kilo 167.8250 MHz Duplex Phone-Pres Res/LBJ Lima 168.7875 MHz Duplex Phone-Pres Res/LBJ Lavender 418.1250 MHz WHCA-Transportation Mike 165.2125 MHz USSS-Dignitary/Former Pres Protection November 166.7000 MHz WHCA-White House Staff Oscar 164.8875 MHz USSS-Presidential Protection Papa 164.4000 MHz USSS-Field Offices/Protection Quebec ???.???? MHz ??????????? Romeo 166.4000 MHz USSS-Repeater Output 164.4000 MHz USSS-Repeater Output Sierra 166.5125 MHz WHCA-White House Staff Tango 164.6500 MHz USSS-Field Offices/Protection Uniform 361.6000 MHz AF-1 Communications 165.0875 MHz AF-1 Communications Victor 164.1000 MHz WHCA VP Protection Whiskey 167.0250 MHz WHCA-Paging X-ray 166.4625 MHz Treasury Common Yankee 162.6875 MHz WHCA-Presidential phone uplink or downlink Zulu 171.2875 MHz WHCA-Presidential phone downlink or uplink Pres Nighthawk Aircraft Fleet (HMX) ----------------------------------- Frequency Primary Usage ----------------------------------- 046.7500 MHz Transport 375.0000 MHz Transport 034.3500 MHz VIP Transport Net 142.7500 MHz Command Post 265.8000 MHz Squadron Common Other Phone Patches ------------------------------------------------ Frequency Type Primary Usage ------------------------------------------------ 407.4750 MHz (uplink) Nationwide-2 415.8000 MHz (downlink) Nationwide-2 407.4500 MHz (duplex) Limousines (Local/DC) 408.2000 MHz (duplex) Limousines (Local/DC) USSS Uniform Division --------------------------------- Designation Output / Input Freq --------------------------------- Gray 418.350/407.750 MHz Orange 418.775/414.950 MHz Brown 414.850/418.800 MHz Red 415.975/419.725 MHz Silver 415.650/419.100 MHz Yellow 414.675/418.150 MHz Training Division: Beltsville, MD --------------------------------- Designation Output / Input Freq --------------------------------- Green 415.750/407.875 MHz Black 415.100/418.325 MHz Blue 414.800 MHz Violet 415.800 MHz Communications Division --------------------------------- Designation Output / Input Freq --------------------------------- Gold 415.675/419.075 MHz Technical Security Division --------------------------- Designation Frequency --------------------------- F-1 408.000 MHz F-2 411.000 MHz F-3 408.500 MHz F-4 408.975 MHz Other Reported USSS Frequencies --------------------------------------- Frequency Primary Usage --------------------------------------- 163.7375 MHz 164.6500 MHz 165.2250 MHz 165.6875 MHz Washington Field Office 166.2000 MHz Washington Field Office 406.2625 MHz 407.8000 MHz 407.8250 MHz Suit Radios 407.8750 MHz Suit Radios 407.9750 MHz 408.9750 MHz Hints for monitoring -------------------- Most of the interesting frequencies are USUALLY scrambled during actual operations. However, 407.850 and 415.700 are never scrambled. Sometimes, the best info on plane landings and limo locations and such can be obtained through regular airport communications and local police. The Secret Service has been known to occasionally use cellular communications. The PL used extensively by USSS is 103.5 Hz. Hearing the callsign "Air Force 1" means the President is on the plane. "Air Force 2" is the Vice President's plane. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cellular Update Well, they've done it again. The high paying special interest groups have gotten yet another law passed. Now it is not only illegal to listen to cellular communications, but illegal to even MAKE a tuner capable of tuning them in! Never mind thats its just EMR floating through space, your body, your house. It is ILLEGAL to tune a crystal to such and such frequency converting the energy to audio. Ridiculous. People who broadcast their conversation across the country side should have no expectation of privacy. Does everyone have to cover their ears when I yell out the window to my friend? No, of course not. The question of it being immoral or not should not be confused with legality. Heres the new law. SEC. 408. INTERCEPTION OF CELLULAR COMMUNICATIONS. (a) AMENDMENT -- Section 302 of the Communications Act of 1934 (47 USC 302) is amended by adding at the end the following new subsection: (d)(1) Within 180 days after the date of enactment of this subsection, the Commission shall prescribe and make effective regulations denying equipment authorization (under part 15 if title 47, Code of Federal Regulations, or any other part of that title) any scanning receiver that is capable of -- (A) receiving transmissions in the frequencies allocated to the domestic cellular radio telecommunications service, (B) being readily altered by the user to receive transmissions in such frequencies, or (C) being equiped with decoders that covert digital cellular transmissions to analog voice audio. (2) Beginning 1 year after the effective date of the regulations adopted pursuant to paragraph (1), no receiver having the capabilities described in subparagraph (A), (B), or (C) of paragraph (1), as such capabilities are defined in such regulations, shall be manufactured in the United States or imported for use in the United States. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The HP3000's 'SECURITY/3000' system (part 3) by Sterling The third and final part of our series on HP3000 Security. STREAMX/SLEEPER -- LINKS STREAMX WITH SLEEPER ********************************************* INTRODUCTION ~~~~~~~~~~~~ A very popular program from the Contributed Software Library (CSL) is SLEEPER, which can stream a job, run a program, or execute a command or any combination of these at any specified time and repeat this action at specified intervals. Many HP3000 sites use SLEEPER to launch job streams at specified times during the day or night, and at regular intervals (for instance it might run a report program each night at 12:00 and stream a job which does a sysdump at 7:00 a.m. each Friday). But to stream a job using SLEEPER, the MPE passwords must be embedded in the job stream. A better solution would be to use STREAMX in conjunction with SLEEPER and have STREAMX generate the passwords. SLEEPER INSTRUCTIONS ~~~~~~~~~~~~~~~~~~~~ Those familiar with SLEEPER know that the file 'SLEEPCOM' must first be built as follows: :BUILD SLEEPCOM;REC=-72,4,F,ASCII;DISC=20,1,1 and then SLEEPERC (the SLEEPER communications program) is run to add entries to the SLEEPER file. SLEEPERC will ask the date, hour, and minute when the activity is to start. It will then ask if the activity is to run a program, stream a job, or execute a command. The name of the proper disc file is asked for next; then the repetition time in days, hours, and minutes (or 'none') is requested. The SLEEPER communication program may be used at any time to add, delete, or list the current SLEEPER entries; even when the SLEEPER program is running. (If you are having trouble adding entries, make sure the SLEEPCOM file is not full.) After the SLEEPER communication file is set up you may run the SLEEPER program (either type ':RUN SLEEPER', or let OVERLORD [also from the CSL] run the SLEEPER program automatically). SLEEPER will then determine the earliest time that any activity must be executed, then "go to sleep" (via the PAUSE intrinsic) until it is time to schedule that activity. In this way the SLEEPER program is little load upon the system, as it is sleeping most of the time. If a repetition time is specified for an activity then SLEEPER will update the time to schedule that activity after it has been scheduled by adding the repetition interval to the scheduling time. If no repetition interval is specified then that activity is deleted from the communications file after it is executed. SLEEPERC is a program used to communicate with the SLEEPER program as it runs. The OVERLORD program may be used to run SLEEPER or SLEEPER may be run alone (usually as a batch job). HOW STREAMX/SLEEPER WORKS ~~~~~~~~~~~~~~~~~~~~~~~~~ As you know, STREAMX gets passwords for job streams by prompting for them at :STREAM time; but because SLEEPER is streaming the job, there is no one to answer the passwords. Fortunately, SLEEPER is generally run by MANAGER.SYS (or a user with SM capability), so STREAMX will automatically generate the passwords for all job streams streamed by SLEEPER, since STREAMX's logic dictates that an SM user never needs to answer any passwords because he can retrieve them anyway. To link STREAMX with SLEEPER, we need to run STREAMX in immediate mode, equating the file we want to stream with STRMFILE and invoking STREAMX with PARM=1. Unfortunately, SLEEPER cannot run programs with parms, so instead of running STREAMX, we run STRMSLEP, which simply invokes STREAMX with PARM=1. LOGOFF -- LOGS OFF INACTIVE SESSIONS ************************************ INTRODUCTION ~~~~~~~~~~~~ Users often log on to the system, do some work, and then leave the terminal unattended (coffee break?, lunch?) without logging off. Sometimes users even go home for the day without logging off. * SECURITY THREAT: WALK UP TO TERMINAL TAKE ADVANTAGE OF CAPABILITIES DISCOVER MPE PASSWORDS TO SENSITIVE ACCOUNTS This can be a security problem because this means that anyone can come up to a terminal and use it without having to go through any security system. This can be an even greater problem if the logged-on user is an Account Manager or the System Manager because the would-be thief could take advantage of the extra capabilities and gain access to sensitive information. (It's fortunate, though, that you are using SECURITY/3000 because the personal profile answers which must be known to gain access to the system are one-way encrypted--otherwise, the would-be thief could do a :LISTUSER, :LISTGROUP, and :LISTACCT, retrieve all the MPE passwords, erase all evidence that he did so by clearing the screen, and then log on as that user at some later date. * SYSTEM RESOURCE WASTE: SYSTEM TABLES MORE TERMINALS THAN PORTS Another problem posed by having an idle terminal is that certain system resources are being used unnecessarily. This can be of particular concern if you are short on CST and DST entries, and especially if you have several users contending for a limited number of ports through data switches or port selectors. Why should an inactive session consume valuable resources? Logged-on sessions at the end of the day also prevent you from doing your backup. LOGOFF remedies these problems. It permits the System Manager to ensure that any terminal which is logged on but has not been actively used for a certain length of time is automatically logged off. HOW LOGOFF WORKS ~~~~~~~~~~~~~~~~ LOGOFF will log off qualifying sessions that have exceeded the acceptable period of inactivity. You specify how much inactivity is acceptable and which sessions are to be monitored for inactivity. * REMOVES INACTIVE/UNWANTED SESSIONS FROM SYSTEM * INACTIVE = READ PENDING AND NO CPU USAGE RECENTLY * uses MPE :ABORTJOB #Snnnn LOGOFF decides that a session is inactive if it's had a terminal read pending for a long time (at least as long as the configured timeout period). For example, if the timeout period is 20 minutes (1200 seconds) and some program prompted the user for input 20 minutes ago and he still hasn't responded, LOGOFF will abort that user. On the other hand, if the program's been working for 20 minutes, or even been suspended waiting for a :REPLY (or anything else that doesn't involve a terminal read), the program won't be aborted. After you configure LOGOFF (see CONFIGURING LOGOFF in this section) you stream a job which runs the LOGOFF program--the program will run "in the background" all the time and monitor the system using a minimal amount of resources. LOGOFF will perform an :ABORTJOB on inactive sessions--MPE will take care of file closures, buffer posting, etc. When a session is aborted by LOGOFF, * a message saying that the session is being aborted due to lack of activity is sent to that session's terminal (the text of this message will default, but you may define your own) * if the terminal is in BLOCK MODE (e.g. VPLUS screen), LOGOFF will take the terminal out of this mode and display its message below the screen. * a message describing the logoff and identifying the LDEV of the logged-off session is sent to the system console * an entry is written to LOGOFF job stream's output spool file indicating the session number aborted and the time and date it was aborted CONFIGURING LOGOFF ~~~~~~~~~~~~~~~~~~ You may configure logoff in a number of ways. * ACCEPTABLE PERIOD OF INACTIVITY * WHICH SESSIONS TO MONITOR (BY LDEV) * SESSIONS CURRENTLY RUNNING PROGRAM * BLOCK MODE HANDLING * DS SESSION HANDLING * ABORT MESSAGE TO BE SENT First, you must specify the acceptable period of inactivity. This is done with the $TIMEOUT keyword. Next, you may optionally configure which sessions will have their activity monitored by using the $TERMINALS keyword. This is done by defining the "ldev-pool" of logical devices to be monitored. Also, you may specify additional criteria to be checked by LOGOFF before the inactive terminal is aborted (e.g. that sessions running a particular program should not be aborted). Furthermore, you may configure how LOGOFF will deal with sessions which have qualified to be logged off. This includes BLOCK MODE handling, DS SESSION exclusion, and the MESSAGE to be sent to the user. If you specify only the $TIMEOUT period, logoff will by default: * monitor sessions on any logical device * exit a terminal from block mode and then display message * not abort sessions with a DS session * display the default logoff message * abort sessions running any program If you have already configured LOGOFF and wish to change something in the configuration while LOGOFF is running, you need not abort the LOGOFF job and re-start it--just make the changes to the configuration file and they will take effect right away (or, rather, the next time the LOGOFF program reads the LOGOFF data file). The configuration information for LOGOFF is kept in the file LOGOFF.DATA.SECURITY and each time you make a change to it by KEEPing the file from the :EDITOR you must: :ALTSEC LOGOFF.DATA.SECURITY;(R,X,A,L,W:CR) SPECIFYING WHICH LOGICAL DEVICES ARE TO BE MONITORED ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You may specify which logical devices are to be monitored by LOGOFF. The LDEVs to be monitored are referred to as the "ldev-pool". This "ldev-pool" is defined by adding a keyword and a list of LDEVs to the LOGOFF.DATA.SECURITY file. If you specify to INCLUDE a list of LDEVs, the "ldev-pool" will be that list of LDEVs. If you specify to EXCLUDE a list of LDEVs, the "ldev-pool" will be all the LDEVs configured as terminals which are not in your EXCLUDE list. Either add a line to INCLUDE certain terminals: $TERMINALS INCLUDE ldev ldev ldev ldev ldev ... or to EXCLUDE certain terminals: $TERMINALS EXCLUDE ldev ldev ldev ldev ldev ... where 'ldev' is any logical device number (e.g. '21 38 40 47') which are included in or excluded from the logoff "ldev-pool". LOGOFF will monitor only the sessions logged on to the LDEVs in the logoff "ldev-pool". The LDEV which is the system console is always excluded from the "ldev-pool" (even if it is switched from LDEV 20). If all the LDEVs you need to specify do not fit on a 72-character line, you may put them on several lines as follows: $TERMINALS INCLUDE 22 23 24 25 27 29 30 31 32 33 35 37 38 39 47 48 55 56 57 58 If neither a $TERMINALS INCLUDE or $TERMINALS EXCLUDE line is contained in the file, all LDEVs (except the console and all DS sessions) will be included in the "ldev-pool". Regardless of what you specify, LOGOFF will only monitor LDEVs which are configured as type = 16 (terminals). NOT LOGGING OFF SESSIONS RUNNING A SPECIFIED PROGRAM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ After LOGOFF has qualified a session by LDEV and inactivity, you may additionally specify that sessions running a particular program not be aborted. This means that programs such as FORMSPEC.PUB.SYS which often have long periods of inactivity (due to screen design) may be specified to logoff as being special and that regardless of inactivity this session should not be logged off while running this program. To configure LOGOFF to EXCLUDE logging off sessions running a particular program add a line to LOGOFF.DATA.SECURITY: $PROGRAMS EXCLUDE program program program ... where 'program's are fully qualified program names (e.g. ENTRY.PUB.SYS FORMSPEC.PUB.SYS). If no $PROGRAMS is specified, this check is not performed. RESTRICTING LOGOFF BY USERS ~~~~~~~~~~~~~~~~~~~~~~~~~~~ With $TERMINALS INCLUDE and EXCLUDE, you can have LOGOFF abort only those inactive sessions which are running on certain terminals (or, for EXCLUDE, running on any terminals EXCEPT the ones given). With $PROGRAMS INCLUDE and EXCLUDE, you can restrict LOGOFF to only look at terminals that are running (or not running) certain programs. Similarly, with $USERS INCLUDE and EXCLUDE, you can specify which users should or should not be aborted due to inactivity. Say, for instance, that you don't mind people walking away from their terminals whenever they're signed on to non-sensitive accounts. The only accounts that you really want LOGOFF to work on are AP, GL, and SYS. You can just add the following line to your LOGOFF.DATA.SECURITY file: $USERS INCLUDE @.AP @.GL @.SYS Whenever LOGOFF sees an inactive session, it will check to see if it's logged on to one of those three accounts; if it isn't, LOGOFF won't touch it. Similarly, there might be some specific users that you don't want to abort. BIG.CHEESE, for instance -- your boss -- gets very aggravated when he gets kicked off the system, and the fact that he shouldn't leave his terminal inactive doesn't sway him. Rank has its privileges, after all, and you can just say $USERS EXCLUDE BIG.CHEESE Actually, you can be very specific in who you include or exclude. As the first example above showed, you can specify user identifiers with wildcards (@.AP, CLERK@.GL, JOE.@, etc.); also, you can select by session name and group name as well as user name and account name, so you can say $USERS EXCLUDE JOE,@.DEV,SOURCE which will exclude sessions signed on with session name "JOE" into the "SOURCE" group of the "DEV" account. If you have neither a $USERS INCLUDE nor a $USERS EXCLUDE line in the LOGOFF.DATA.SECURITY file, LOGOFF will abort inactive sessions regardless of their user id (although the $TERMINALS and $PROGRAMS restrictions still apply). This is a pretty good default, since usually any inactive session is not a good thing to have around. DS SESSIONS - TO ABORT OR NOT TO ABORT (THAT IS THE OPTION) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LOGOFF may be configured to abort sessions regardless of whether they are a local or remote DS-session. By default, LOGOFF will not abort any DS-session. You may perform the abort by configuring the LOGOFF.DATA.SECURITY file with the keyword: $DSABORT This will cause DS-sessions to be aborted. SAMPLE CONFIGURATION ~~~~~~~~~~~~~~~~~~~~ EXAMPLE1: If the LOGOFF.DATA.SECURITY file contained the following: $TIMEOUT 900 $TERMINALS EXCLUDE 33 36 38 39 45 $PROGRAMS EXCLUDE FORMSPEC.PUB.SYS ENTRY.PUB.SYS then LOGOFF would abort all sessions that were all of the following: Inactive for more than 900 seconds (15 minutes) AND logged on to an LDEV other than 33,36,38,39 or 45 AND running a program other than FORMSPEC.PUB.SYS and ENTRY.PUB.SYS EXAMPLE2: If the LOGOFF.DATA.SECURITY file contained the following: $TIMEOUT 1200 $TERMINALS INCLUDE 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 then LOGOFF would abort all sessions that were: Inactive for more than 1200 seconds (20 minutes) AND logged on to an LDEV from 33 to 60 inclusive. ACTIVATING LOGOFF ~~~~~~~~~~~~~~~~~ To have LOGOFF continually monitor the system and abort idle sessions (using the parameters you have configured in LOGOFF.DATA.SECURITY) you need to stream a job which runs the LOGOFF.PUB.SECURITY program, which wakes up every so often (using a minimal amount of system resources) and aborts all sessions which should be aborted, according to your configuration in LOGOFF.DATA.SECURITY. The logoff job stream is stored in the file LOGOFF.JOB.SECURITY which does not contain any passwords on the job card, so STREAMX should be used to stream the job (see the "STREAMX" section of this manual for information about eliminating passwords in job streams). Just do this: :FILE STRMFILE=LOGOFF.JOB.SECURITY :RUN STREAMX.PUB.SECURITY;PARM=1 STOPPING LOGOFF ~~~~~~~~~~~~~~~ "A car needs to be able to do only two things -- to go and to stop." A LOGOFF job stream is just a 'plain vanilla' MPE job. If you want to abort it, you can just do an :ABORTJOB, just like you would for any job of your own. On the other hand, MPE's :ABORTJOB is sometimes rather temperamental. Surely you, as a system manager, have often encountered sessions that just won't go away -- no matter how many :ABORTJOBs are done, they're still there; sometimes you even have to re-start the system if you want them removed. This is why it's a good idea for all background tasks, like LOGOFF, to have some normal shutdown procedure, which can let somebody stop them without having to do an :ABORTJOB. To do this, you just :RUN LOGOFF.PUB.SECURITY,STOP This will send a message to the LOGOFF job stream using a message file; LOGOFF will catch this message and perform an orderly shutdown of itself. Of course, you can still do an :ABORTJOB of the job stream if you want to, but we think that the ":RUN LOGOFF.PUB.SECURITY,STOP" is a cleaner solution. Note that there's no reason why you have to abort the LOGOFF job stream when you do a system backup. Just keep it running. PASCHG-changing MPE passwords ***************************** INTRODUCTION ~~~~~~~~~~~~ To protect the security of their systems, many installations encourage (or require) MPE passwords to be changed periodically. That way, by the time a password gets out over the "grapevine," it will have been changed. Unfortunately, MPE's security system makes changing user passwords rather difficult. Since only an Account Manager--not the user himself!--can change a user password, changing passwords is actually discouraged. A user may feel reluctant to spend time getting in touch with his Account Manager about changing a password (even if he, the user, suspects it has been compromised); an Account Manager is very likely to put off changing passwords if it means changing them for 100 users in his account. A very good solution to this problem--in fact, one implemented on most other computer systems--is to allow a user to change his own password. Since the user is allowed to change only his own password (not other users'), this poses no security threat; in fact, it actually improves security by making it easier for a user to get his own password changed. HOW PASCHG WORKS ~~~~~~~~~~~~~~~~ A user may run the PASCHG program, which first prompts him for his current MPE user password (if he has one). The user must enter the correct password in order to change it--this protects against somebody walking up to a logged-on terminal while its real user is away and changing the password (although SECURITY/3000's LOGOFF program is a better solution to this problem. After the user has correctly entered his current password, he is asked for a new password. After he enters the new password, he is asked to enter the same password again, to make sure that he did not enter it incorrectly the first time. If he enters a different password the second time, PASCHG assumes that he has made a typo and repeats the new password sequence. Once the user has entered a new password (and entered the same password again, guaranteeing that it's the one he really wants), his password is changed. A user is not allowed to use PASCHG to remove his own password, since the Account Manager might often want to require his users to have passwords; therefore, if the user hits when asked for the new password, an error message will be printed and the password will remain unchanged. PASCHG also forbids a user from changing his password to the same value, as that would defeat the purpose of changing the password. HOW TO SET UP PASCHG ~~~~~~~~~~~~~~~~~~~~ The PASCHG program is PASCHG.PUB.SECURITY Any user may :RUN it, and the easiest way to do this is to set up the UDC "PASCHG" so that a user may type just one word to invoke the program. We recommend that you set the PASCHG UDC at the system level so that all users may run it: :SETCATALOG CHGUDC.PUB.SECURITY, YOURUDCS.PUB.SYS; SYSTEM That way, a user need merely type :PASCHG and the PASCHG system will be invoked. Certainly, there are some HP3000 installations whose security systems operate in such a way that they don't want users changing their own passwords. A good example of this is when several people share a single user ID, and you don't want one of them to change their joint password (although for this kind of application, SECURITY/3000's security-by-session-name should be used. If you don't want your people running PASCHG.PUB.SECURITY, simply put a lockword on this file or remove it entirely from the system. No other part of SECURITY/3000 depends on it, so all the other components of SECURITY/3000 -- the Logon Security System, LOGOFF, OBSOL, TERMPASS, STREAMX, etc. -- will still function as well as always. EXAMPLE OF A PASCHG SESSION ~~~~~~~~~~~~~~~~~~~~~~~~~~~ A typical session with PASCHG might look like: :PASCHG << a UDC that runs PASCHG.PUB.SECURITY >> SECURITY/PASCHG Version 0.2 (VESOFT, Inc. (C) 1985) Please enter your current user password: << user enters it >> Please enter your new user password: << user enters 'FOO' >> Please enter the same password again: << 'FOO' again >> Password changed. Note that none of the password inputs are echoed; furthermore, if the user wanted to abort the change any time until he entered the new password the second time, he could do so by hitting . PASCHG/OBSOL INTERFACE ~~~~~~~~~~~~~~~~~~~~~~ PASCHG works well with OBSOL, SECURITY/3000's MPE Password Obsolescence System since with PASCHG the Account Manager isn't burdened with having to change dozens of passwords at the end of every month. However, in order for OBSOL to "know" that a password has been changed with PASCHG, PASCHG has to be told to tell OBSOL that a change is being made. If you run PASCHG.PUB.SECURITY with ;PARM=1, it will invoke OBSOL and tell it that the password is being changed. So if you use OBSOL, your :PASCHG UDC ought to look like: PASCHG RUN PASCHG.PUB.SECURITY;PARM=1 (whereas if you don't use OBSOL, the ';PARM=1' should be omitted). In fact, the OBSUDC.PUB.SECURITY UDC file, which contains all the UDCs relevant to OBSOL, contains this PASCHG UDC as well. Note that when a user changes his own password, he is not allowed to change the obsolescence period and warning period (as is normally the case when an Account Manager changes a user's password). This is done because the Account Manager might not want users altering the obsolescence period, perhaps lengthening it to the point where passwords no longer have to be changed frequently. Note: you may configure OBSOL to run PASCHG automatically when the user password is within its warning period (see OBSOL). In addition, PASCHG may be invoked automatically from OBSOL so that if a user logs on and is warned that his password will expire, PASCHG will be run automatically to permit the user to change his password at that time. This can further automate the process of password maintenance because a user does not have to know what program to run, what UDC name to type, or whom to contact to get his password changed. The following UDC may be used instead of OBSOLUDC to invoke the OBSOL system. As you can see, OBSOL will set a JCW which the UDC recognizes to run the PASCHG program. This UDC is stored as the file OBCHGUDC.PUB.SECURITY. OBSLOGON OPTION LOGON, NOBREAK RUN OBSLOG.PUB.SECURITY IF SECURITYANSWER = 1 THEN BYE ELSE IF CHGUSERPASS = 1 THEN RUN PASCHG.PUB.SECURITY;PARM=1 ENDIF ENDIF ENFORCING PASSWORD STANDARDS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You may configure PASCHG to edit passwords that your users specify for themselves. This editing may be used to enforce minimum password length in addition to specific alpha, alphanumeric and numeric character patterns. The edit characters used are similar to COBOL's. The 'edit pattern' is specified by adding a line to the file SECURMGR.PUB.SECURITY in the format: PASCHG-EDIT= Where the conforms to the following rules: 'X' is any alphabetic [a..z] or numeric [0..9] 'A' is any alphabetic character '9' is any numeric character For example: PASCHG-EDIT=AXXX enforces 4 character minimum password length PASCHG-EDIT=AXXX9 enforces 5 character minimum password length one alpha, three alphanumeric, one numeric PASCHG-EDIT=AAAAAAAA enforces 8 character minimum password length all alpha Regardless of what is specified by PASCHG-EDIT, as per valid MPE password format, the first character of the edit pattern will be assumed to be an 'A' (alpha) when editing the password input. If the new password is longer than the edit pattern specified in SECURMGR.PUB.SECURITY, those characters are not edited. If no PASCHG-EDIT keyword is found in the SECURMGR.PUB.SECURITY file, PASCHG will use the default edit pattern of 'AXXX' indicating a minimum four character password. GETPASS: A PROCEDURE TO GET ONE'S OWN PASSWORD ********************************************** INTRODUCTION ~~~~~~~~~~~~ There is an unfortunate deficiency in MPE which forbids a user from retrieving his own passwords; this necessitates programmers who are building and :STREAMing streams from inside their programs to embed passwords into those programs, which makes the necessary (mandatory?) operation of changing passwords once in a while simply unfeasible. The user-callable procedure GETPASS is designed to remedy this state with it, any user is allowed to retrieve his own passwords (which is certainly not a security threat, as he needed to know them to sign on; also, for convenience, the system manager is allowed to retrieve the passwords of ANYBODY (for he is god anyway), and the account manager may retrieve the passwords of anybody in his account. Thus, with GETPASS a programmer can call WHO, find out his user, group, and account names, call GETPASS, and retrieve his passwords; then, it is easy to insert these passwords into the job card. Thus,a hard-to-maintain embedded passwords can be avoided. GETPASS has the following parameters: PARAMETER 1: USER - The user to get passwords for. 2: ACCOUNT - The account to get passwords for. 3: GROUP - The group to get passwords for. 4: PASS-USER - The user password. 5: PASS-ACCT - The account password. 6: PASS-GROUP- The group password. 7: ERR - FALSE = everything went OK; TRUE = security violation or nonexistent user, account, or group. GETPASS needs to use privileged mode (PM) capability for its execution; however, it uses it in a safe fashion and has NEVER caused a system failure yet! Note that programs calling GETPASS need not be PREPed with PM capability; it must reside in an SL in a group and account containing PM capability (like SL.PUB.SYS). To add GETPASS to the system SL, you need merely do a CP\INDEX GETPASS.PUB.SECURITY :HELLO MANAGER.SYS :SEGMENTER VX -SL SL Z@ -USL GETPASS.PUB.SECURITY -ADDSL GETPASS -EXIT GETPASS can be called from COBOL in the following way: USER PIC X(8). ACCOUNT PIC X(8). GROUP PIC X(8). PASS-USER PIC X(8). PASS-ACCOUNT PIC X(8). PASS-GROUP PIC X(8). ERROR PIC S9(4) COMP. . .. CALL "GETPASS" USING USER, ACCOUNT, GROUP, PASS-USER, PASS-ACCOUNT, PASS-GROUP,ERROR. IF ERROR IS NOT EQUAL TO 0 THEN << An error occurred >> DISPLAY "SECURITY VIOLATION OR BAD USER, ACCOUNT, OR GROUP" STOP RUN. A real live example of a FORTRAN program calling GETPASS: $CONTROL NOSOURCE, USLINIT PROGRAM TEST GETPASS INTEGER USER(4), ACCT(4), GRUP(4), UPAS(4), APAS(4), GPAS(4) CHARACTER *8 BUSER, BACCT, BGRUP, BUPAS, BAPAS, BGPAS EQUIVALENCE (BUSER,USER),(BACCT,ACCT),(BGRUP,GRUP), (BUPAS,UPAS),(BAPAS, APAS),(BGPAS,GPAS)LOGICAL ERR DISPLAY "ENTER USER: " ACCEPT BUSER DISPLAY "ENTER ACCOUNT: " ACCEPT BACCT DISPLAY "ENTER GROUP: " ACCEPT BGRUP CALL GETPASS (USER, ACCT, GRUP, UPAS, APAS, GPAS, ERR) IF (ERR) DISPLAY "ERROR: SECURITY VIOLATION/BAD PARAMETER" IF (ERR) GOTO 10 DISPLAY "USER PASSWORD=",BUPAS DISPLAY "ACCOUNT PASSWORD=",BAPA DISPLAY "GROUP PASSWORD=",BGPAS 10 STOP END FILES IN THE SECURITY ACCOUNT ***************************** INTRODUCTION ~~~~~~~~~~~~ Lastly, I want to list some things you may see in your explorations. There are many interesting files to be found withing the SECURITY account. Here is a list and description of the common file you may find there: DATA group: Data files ~~~~~~~~~~~~~~~~~~~~~~~ ANSSCHEM - Schema of the database ANSWER (might be used to increase database capacity; default is 500 records). ANSWER - IMAGE database which contains information about PERSONAL PROFILE LOGON IDs (one-way encrypted passwords, access restrictions, menu file names, etc.). LOG - Circular disc file to which all attempted security violations and security configuration changes are logged. LOGOFF - Specifies logical devices to be monitored and the length of inactivity required prior to a session being aborted. MEMOFORM - Memo format for attempted violation listings which may be customized to provide more or less detail. OBSSCHEM - Dbschema input file for the image database OBSOL. OBSOL - IMAGE database specifying the date by which MPE GROUP, USER and ACCOUNT passwords must be changed (warning period, too). QUESTION - During SECURITY/3000 logon the user must answer a question randomly selected from this file (built by user; personal profile questions are recommended). TERMPASS - Specifies logical devices which will be protected with passwords. Protection for dial-ups, DS lines, etc. DOC group: Documentation files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ANORDER - Contains the DOC file names in the order in which they should be printed. CONTENTS - Table of contents for the SECURITY/3000 manual. FILES - Describes the files in the SECURITY account. GETPASS - Explains how to build job stream file in application programs without jeopardizing system security. HOW2LIST - Describes how to print the documentation files provided in the DOC group with the MPEX 'USER' command. INTRO - Overview of SECURITY/3000 package. LOGOFF - Explains why idle sessions are a security threat. Step by step instructions of how to configure logoff. NEWFEATR - New features in SECURITY/3000. OBSOL - Describes how the password obsolescence subsystem insures the frequent changing of MPE passwords. ONLINE - Describes the Logon Security System which protects against online logon access. PASCHG - User (not account manager) changeable passwords. REFS - List of SECURITY/3000 published references. STREAMX - Manual for STREAMX/3000 which provides batch access security and parameter passing to job streams. TERMPASS - Documentation of TERMPASS, which allows protection of logical devices (DS line, dial-in lines, console, etc). HELP group ~~~~~~~~~~ HELPMAKE - The stream to modify USER.HELP.SECURITY file. USER - The HELP file for SECURITY/3000. JOB group: Job streams ~~~~~~~~~~~~~~~~~~~~~~~~ LOGOFF - Job stream which runs the program LOGOFF.PUB to monitor sessions' CPU usage and logoff idle terminals by LDEV. PAPERS group: Security-related papers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ANAHEIM - "BURN BEFORE READING - HP 3000 SECURITY AND YOU", HPIUG 1983, Anaheim, CA USA. COPNHAGN - "SECURITY/3000: A new approach to logon security", HPIUG 1982, Copenhagen, DENMARK. PROFILE - "PRODUCT PROFILE: SECURITY/3000", SUPERGROUP Association Newsletter, July 1982. PUB group: Program files, USLs, UDCs, etc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ FINDCAP - A program to list dangerously capabilitied users and show if they have an MPE password. QUITE handy... LOGOFF - Program which logs off idle sessions. OBSCHG - Password OBSOLescence database update program. OBSFILL - OBSOLescence data base initialization program. OBSLOG - MPE passwords obsolescence program. OBSOLUDC - Log-on UDC file for MPE passwords obsolescence subsystem. OBSUDC - UDC file for MPE passwords obsolescence subsystem. PASCHG - The program which lets users change their own password. QGALLEY - Program to format and print DOC files. SECURMGR - Control file containing SECURITY/3000 global parameters. SECURUDC - Log-on UDC file for users protected by SECURITY/3000. SECURUSL - USL file for the callable SECURITY procedure. SESSION - USL file for GETSESSION procedure. STREAMX - STREAMX/3000 program which provides batch access security and parameter passing to job streams. STRMSLEP - The SLEEPER/STREAMX interface program (see STREAMX.DOC). STRMUDC - UDC file containing a UDC to invoke STREAMX. TERMPASS - Program which verifies terminal (LDEV) passwords and/or interfaces with USER program for positive user identification TERMUDC - Log-on UDC file for users using TERMPASS. USER - The main SECURITY/3000 program. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Informatik Submission & Subscription Policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Informatik is an ongoing electronic journal, and thus we are faced with the ever present need for a steady influx of new material. If you have an area of interest or expertise that you would like to write about, please do not hesitate to contribute! We depend on reader submissions!! We do ask that any submissions fit the following guidelines... General Content ~~~~~~~~~~~~~~ Material for Informatik should concern information of interest to the computer underground community. Examples of this include, but are by no means limited to hacking and phreaking, governmental agencies, fraud, clandestine activity, abuse of technology, recent advances in computing or telecommunications technology, and other of information not readily available to the public. Please include a title and author name. Text Format ~~~~~~~~~~ * standard ASCII test * 79 characters per line * no TAB codes * no special or system specific characters * mixed case type * single spaced, double space between paragraphs * no pagination News submissions ~~~~~~~~~~~~~~~ * Submit only recent news items * Include the headline or title of the article the author's name (if given) the publication of origin the date of publication * Don't submit news that has appeared in other e-text journals Subscription policy ~~~~~~~~~~~~~~~~~~ We are happy to provide an Internet based subscription service to our readers. To be on our mailout list, send mail to our Internet address, "inform@grind.cheme.cmu.edu" and include the word subscription in the subject of your message. If you requested a subscription before, you need to reply again, because the old subscription list was deleted by MH. Back Issues ~~~~~~~~~~ Back issues of Informatik are available via ftp at ftp.eff.org in the /pub/cud/inform directory. The site also contains a plethora of other electronic texts of interest to the "computer underground" community including Phrack, NIA, PHUN, and the LOD tech journals.