PracticalLockPickingAPhysicalPenetrationTester’sTraining

Guide

DeviantOllamShaneLawson,TechnicalEditor

TableofContents

Coverimage

Titlepage

Copyright

Dedication

Foreword

Author’sNote

AbouttheAuthor

AbouttheTechnicalEditor

EthicalConsiderations

ScenarioOne

ScenarioTwo

ScenarioThree

Sowhatdoyouthink?

Donotpicklocksyoudonotown

Donotpicklocksonwhichyourely

Chapter1.FundamentalsofPinTumblerandWaferLocks

PinTumblerLocks

WaferLocks

Summary

Chapter2.TheBasicsofPicking—ExploitingWeaknesses

ExploitingWeaknessesinLocks

PickingwithaLiftingTechnique

PickingwithaRakingTechnique

Summary

Chapter3.BeginnerTraining—HowtoGetVeryGood,VeryFast

AWordonEquipment

TheBasicsofFieldStripping

StarterExercises

LearningExercises

ChallengingYourselfFurther

UsingRakesandJigglers

WaferLockExercises

ExtraHints

Summary

Chapter4.AdvancedTraining—LearningSomeAdditionalSkills

Pick-ResistantPins

SpecializedPickingTechniques

SpecializedPickingTools

PracticeExercises

Real-WorldLocksWhichOfferGreaterChallenges

Summary

Chapter5.Quick-EntryTricks—Shimming,Bumping,andBypassing

PadlockShims

SnappingandBumping

CombPicks

AmericanLockBypassTool

DoorBypassing

Summary

Chapter6.TheyAllComeTumblingDown—PinTumblersinOtherConfigurations

TubularLocks

CruciformLocks

DimpleLocks

TheSecretWeaknessin90%ofPadlocks

Summary

Appendix:GuidetoToolsandToolkits

GuideToDifferentiatingPickTools

ANoteAboutTensionTools

PickKitSuggestions

Conclusion

Index

Copyright

AcquiringEditor:ChrisKatsaropoulos

DevelopmentEditor:HeatherScherer

ProjectManager:PaulGottehrer

Designer:KristenDavis

SyngressisanimprintofElsevier225WymanStreet,Waltham,MA02451,USA

©2012Elsevier,Inc.AllrightsreservedNopartofthispublicationmaybereproducedor

transmittedinanyformorbyanymeans,electronicormechanical,includingphotocopying,

recording,oranyinformationstorageandretrievalsystem,withoutpermissioninwritingfrom

thepublisher.Detailsonhowtoseekpermission,furtherinformationaboutthePublisher’s

permissionspoliciesandourarrangementswithorganizationssuchastheCopyrightClearance

CenterandtheCopyrightLicensingAgency,canbefoundatourwebsite:

www.elsevier.com/permissions.

Thisbookandtheindividualcontributionscontainedinitareprotectedundercopyrightbythe

Publisher(otherthanasmaybenotedherein).

NoticesKnowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchand

experiencebroadenourunderstanding,changesinresearchmethodsorprofessionalpractices,

maybecomenecessary.Practitionersandresearchersmustalwaysrelyontheirown

experienceandknowledgeinevaluatingandusinganyinformationormethodsdescribed

herein.Inusingsuchinformationormethodstheyshouldbemindfuloftheirownsafetyand

thesafetyofothers,includingpartiesforwhomtheyhaveaprofessionalresponsibility.

Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors,oreditors,

assumeanyliabilityforanyinjuryand/ordamagetopersonsorpropertyasamatterof

productsliability,negligenceorotherwise,orfromanyuseoroperationofanymethods,

products,instructions,orideascontainedinthematerialherein.

LibraryofCongressCataloging-in-PublicationData

Applicationsubmitted

BritishLibraryCataloguing-in-PublicationData

AcataloguerecordforthisbookisavailablefromtheBritishLibraryISBN:978-1-59749989-7

PrintedintheUnitedStatesofAmerica

ForinformationonallSyngresspublicationsvisitourwebsiteathttp://store.elsevier.com

121314151610987654321

Dedication

TomyMotherandFatherMyfathertaughtmetotakeprideinthethingsthatIown,totreat

themwithcare,andusethemproperlysothattheyservemewell.ItisbecauseofhimthatIownaten-year-oldtruckandathirty-year-oldjeep,both ofwhich run just finewith half amillionmiles between them. Ialsocannotthankhimenoughforteachingmetoshootatayoungage.

My mother taught me the value of getting the most out of theequipmentyouownbylearninghowitfunctions,insideandout,soyoucanfixitiftheneedshouldarise.IcanrememberatimewhenIwasallofaboutnineyearsoldandtheironinourhousestoppedworking.Mymomexplainedtomethatyoudon’tthrowsomethingawayjustbecauseit is old. Fiddling with the cord, she was able to determine where abreakexistedinthewire…itwasdownneartheplug.

Istoodthere,wide-eyed,asshecuttheline,strippedthewireends,and inserted them into an after-market replacement plug. She let mehold the screwdriver and tighten the contact points where electricitywouldagainflowtotheappliance.Ineverforgotwhatitfeltliketotakesomethingyouownedandgetmoreoutofitusingyourownskillsandtools.Younevercanquitetellwhenyoufirstbecomeahacker,butforlackofabetterpointonthecalendarIwillalwaysbelieveitstartedformeonthatSundayafternoon.

…Myparentsstillownthatirontothisday.

Foreword

Ifeelsomewhatlikeanoldmanremarkinginthisfashion,butthisbookis a great example of thewonderful time inwhich you currently findyourself.Tobealiveandlearningrightnow…whenthereareaccessibleresourcessuchasthisaboutlockpicking,withbeautifulillustrationsandlessons written with passion visible on every page, that is trulysomething.

I reflectbackandcompare the stateof thingsnowwithhow theywerewhenIwasyoung.Idreamedofbeingabletoopenlocks.Iknewitcouldbedone,butIdidnotknowhow.Inthe1980s,whenmyhungerfor thisknowledgewasgettingquitepowerful, thestateofeducationalmaterialswasverydifferent.ThroughadsinmagazinesIfoundasmallpublisherintheUnitedStatesofferingabookcalledTheCompleteGuidetoLockpickingbyEddie theWire.Thisbookwasan inspiration,bothforpayingcloseattentionduringmyEnglishlessonsinschool(allthebettertounderstandEddie’s everyword)and forobtainingpick tools (whichcouldonlybefoundatanexpensivespyshopfortheequivalentof$200atthetime).

ItwaswithgreatexcitementthatIsatdownathomewithmyfirstproper tool set,my book, and some locks from the store. However, ittookanentire longand frustratingdaybefore the firstpadlockclickedopen. You know (or your will soon find out!) how it feels your firsttime…youwillalwaysrememberthatmoment!Therushwasamazingandaddictive.FromthenonIwashookedandtriedtopickanylockIcould(legally!)getmyhandson.

In the following decade I published about my passion forlockpickingandhavesincepresentedmanyhands-ondemonstrationsatsecurity conferences. It wasn’t long before interested parties beganformingsportpickingclubs.AgroupoflockpickersinGermanyformedSSDeV; twoyears later Iwasamong thosewho formedagroup in theNetherlands. In 2001 our organization became TOOOL… The OpenOrganisation Of Lockpickers.Whenever anyone asks why our name isspelledwiththreeO’s,weremindthemthattobegoodatpickingthereisnootherpaththantopracticeOverandOverandOveragain.TOOOLhascontinuedtogrowandtodaywearepleasedtobeabletointroducenewpeopletothetopicoflocksandsecurityallaroundtheworld.I firstmetDeviantOllamwhenpresenting about lockpickingon a

trip to the United States. I was attempting to spread the idea thatknowledgeofphysicalsecuritymattersshouldbespreadmuchlikethedetails and reports of computer security matters… any industry thatencourages open, honest discussion will always have better products,more informed consumers, and better security for everyone overall.When someone showed me slides from one of Deviant’s lectures Iimmediately understood that he could be quite an ally. He not onlytotally grasped the concepts when it came to locks, but he alsounderstoodthebiggerpictureregardingthestateofthesecurityindustryoverall.Deviantbelievesintherightofthepeopletounderstandhowtheir

hardwareworksinordertoproperlyevaluateitanduseit.Henowsitson the Board of Directors of the US division of TOOOL and dedicatesmuchofhis time to teaching, traveling, andmakingcertain that thosewho wish to learn can truly understand and follow along with thisknowledge. He has also put a lot of energy into developing hisillustrations,diagrams,andtrainingmaterials.Theimagesthatappearin

this work are unlike any other that most of us have encountered inreferencewoks at any other time… it’s amazing to compare resourceslikethisbooktotheoneswhichhavebeenavailableupuntilnow.Thisbookisquiteanachievement.Itisthefirstnewtexttoappear

inagesshowingsomemoreadvancedandup-to-datetopics.Thisbookisalsoperhapsthefirsttexteverwhichisbothsuitableforbeginnersandyet also has somuch to offer to those seeking advanced, professionaltraining.Deviantclearlythingsclearlywitheasy, flowingwordspairedwithtechnicaldrawingsofgreatprecision.Anabsolutebeginnerstartingout knowing essentially nothing about the subject of locks andlockpickingandbewell-versedinthistopicinalmostnotime.Perhaps you just want to open locks as a hobby, or you may be

trainingasaprofessionalsecurityconsultant.Itcouldbethatyouwanttoknowmoreaboutthelocksyoubuyforyourownneeds,oryoumaybeinchargeofadvisingbusinessesontheirsecuritydecisions.Nomatterwhatyourbackground is, ifyouwantnewand fascinating insight intothis world… I don’t think any book will be giving you a betterintroductiontothisfieldthanthisone.Thank you, Deviant, for writing this book and spreading the

knowledge.

BarryWelsFoundandPresident,

TheOpenOrganisationOfLockpickers

Author’sNote

Thisbookwaswrittenoverthecourseofonemonth,duringwhichtimeIsatatmydeskwearingmybatteredNavywatchcapanddrinkinghardcider, scotch,and jasmine tea,as the samehugeplaylist repeatedoverand over and over again full of songs from FloggingMolly, Girlyman,Emancipator, The Ramones, Billie Holiday, Trash 80, and a guitar-playinggoat.

Thank you to Rachel, Matt, and everyone else at Syngress forsomehowhaving thevision to see that suchaprocesswouldsomehowresultinadecentbook.ThankyoutoShaneLawson,BabakJavadi,andBarryWelsforbeingsoinstrumentaltothisenterprisealongwithme.

I have to thank BarryWels, Han Fey, andMike Glasser for trulyopening my eyes about the potential for grasping and understandinglockpicking. TOOOL and the other locksport groups have been soinstrumental in this process. Thank you to Schuyler Towne, EricMichaud,EricSchmiedl,andespeciallyBabakJavadiforkeepingTOOOLaliveandgrowinghereintheUS.ToChris,Jim,Jon,Dr.Tran,Ed,theDaves,andespeciallyMouse…thankyou formaking the localTOOOLchapterwhatitis.Havingbeenwithyouinthebeginningmakesmefeelamazing.Steve,JVR,Dr.Tran,andDavePloshay…you’re thegreatestever when it comes to running public lockpicking events on the roadwithBabak,Daisy,andI.Shea,Scott,Michael,Katie,andeveryoneelsewho is showing so much interest and energy in getting local TOOOLchaptersstartedinnewplaces,weallsaluteyou.

Thank you to Renderman, Jos, Rop, Til, Nigel, Kate, mh, Ray,

Suhail,Gro,Hakon,Kyrah,Astera,Rene,Mika,Morgan,Saumil,Andrea,Daniele, Federico, and Francisco, and all of our other internationalfriendswhomakeusfeelathomenomatterhowfarwetravel.TOOOLwouldliketothankalloftheothersporting,hobbyist,and

amateur lockpicking groups who help to spread knowledge and buildinterestinthisfascinatingfield.SSDeV,LI,FALE,andtheFOOLSarefullofwonderful peoplewho love to teach andhave fun.An extra specialthanksgoestoValanx,Dosman,andtherestoftheFOOLSforremindingus to not be so serious, evenwhenwehave something serious to say.Some other local groups who have been so instrumental to spreadinginterest,enthusiasm,andawarenessaboutlockpickingare:

DC719–ThankyouforstartingandsuchawesomelockpickingcontestsatDEFCON

DC303–ThankyouformakinglockpickinglookbadassonnationwideTV

DC949 – Thank you for making handcuffs picking look badass onClosed-CircuitTV

ThankyoutoScorche,Datagram,andEdforyourbeautifulphotos,goodadvice,amazingcollections,andinvaluablefriendship.WithoutQ, Neighbor, Russ,MajorMal, and Zac showing off all of

theirwickedly fun gadgets over the years Iwouldhaveneverhad theslightestinsightintomattersofelectronicsecurity.I have to thank my old neighbor Tom for listening to my first

rehearsalofmyoriginalpresentationslides,andmynewneighborsGeoffandHeatherforbeingthereasIdevelopednewones.ThankyoutoJohnnyLongforshowingtheworldthatevenahighly

technical presentation should always be amusing and enjoyable… andfor reminding us that we all have a responsibility to do right by our

brothersandsistersonthisplanet.Mayallthatisgoodwatchoveryouandyourfamily,Johnny,asyoucontinuetohelpothersinforeignlands.Thank you to Dark Tangent for first suggesting that I turn this

contentintoapropertrainingcourse,andtoPingandeveryoneelsewhoworkstirelesslysothatBlackHatcankeeptickingalong.ExtraspecialthankstoBruceandHeidiforShmooCon,whereIgave

myveryfirstpubliclectureaboutlockpicking.YouandallthosewhoputinthemonumentalefforteveryyeararethereasonShmooConremainsmyfavoriteconferencetothisday.Thankyouaswelltoeveryonebehindthescenesat(deepbreath)…

AusCERT, Black Hat, CanSecWest, CarolinaCon, DeepSec, DEFCON,DojoCon,ekoparty,HackCon(go,teamNorway!),HackInTheBox,HOPE,LayerOne, NotACon, PlumberCon, PumpCon, QuahogCon, SeaCure,SecTor,ShakaCon,SOURCE,SummerCon,ToorCon,andalloftheothereventswhohavebeenkindenoughtoinvitemetospreadknowledgeofthistopictonewpeople.We wouldn’t be the researchers we are without the help of the

world’s Hackerspaces (particularly PumpingStation:One and theMetaLab)hostingusandhelpingusreachouttoothers.This work would not have been possible had I not met Babak

Javadi, who has given endless advice, encouragement, and invaluableconstructivecriticismofmymaterial.I offer great thanks to Nancy, who was there as I discovered the

extenttowhichonecoulddoamazingthingswithPhotoshop.Sospecialwasmy timewith Janet, Don, and thosewhowere therewhen Iwasfinding my voice as a teacher. So invaluable was my time withJackalope,whowastherewithmeas Iwasdiscoveringtheconferencecircuit… you made me realize that people actually liked listening towhatIhavetosay.

IcannotexpressmypleasureandgoodfortuneofmeetingChristinaPeiwhilewritingthis.Youremindedmethateventeachersofscientificmaterialcanbefunnyandcasualintheirdelivery.HavingyouinmylifemakesmefeellikeIcandoabsolutelyanything.

Most of all, I offermydeepest andmostheartfelt thanks toDaisyBelle. You have shown me more kindness, love, understanding, andsupportthanIhaveeverdreamedonepersoncouldgive.Fromrunningthe logistics of TOOOL to managing daily operations for The COREGroup to coordinating all of my travel (all three of those tasks eachbeing practically a full-time job) you are instrumental to all of theprojectsIattemptandtomylifeasawhole.Yourloveiswhatsustainsme…that,andyourawesomesandwiches.

…andaspecial thank-youto those in thehackercommunitywhoget involved. Those who attend conferences, prepare presentations,research exploits and publicly disclose them properly, those whocontinue seeking new skills, who want to explore, who want tounderstand,whowanttolearn,touch,anddo.Toanyonewhohaseversatinoneofmylecturesandaskedaninsightfulquestionorgonehometotryoutwhattheyhavelearned…toanyonewhohasnotjustwatchedbut gotten up and tried their hand at GringoWarrior, Pandora’s LockBox,theDefiantBox,ClusterPick,oranyoftheotherconteststhatIhaverunovertheyears…toallthosewhomakethecommunitywhatitis…Ithankyoufromthebottomofmyheart.

AbouttheAuthor

DeviantOllam’s first and strongest love has always been teaching. Agraduate of the New Jersey Institute of Technology’s Science,Technology, and Society program, he is always fascinated by theinterplaythatconnectshumanvaluesandsocialtrendstodevelopmentsinthetechnicalworld.WhileearninghisBSdegreeatNJIT,Deviantalsocompleted the History degree program federated between thatinstitutionandRutgersUniversity.

WhilepayingthebillsasasecurityauditorandpenetrationtestingconsultantwithTheCOREGroup,DeviantisalsoamemberoftheBoardofDirectors of theU.S. division of TOOOL,TheOpenOrganisationOfLockpickers. Every year at DEFCON and ShmooCon Deviant runs theLockpicking Village, and he has conducted physical security trainingsessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon,HackInTheBox,ekoparty,AusCERT,GovCERT,CONFidence,theFBI,theNSA,DARPA,andtheUnitedStatesMilitaryAcademyatWestPoint.HisfavoriteAmendmentstotheU.S.Constitutionare,innoparticularorder,the1st,2nd,9th,and10th.

AbouttheTechnicalEditor

Shane Lawson is the Director of Commercial and Federal SecuritySolutions in the Cyber Security Division of Tenacity Solutions, Inc.where he focuses on penetration testing, security assessments, andsupplychainriskanalysisforhisclients.Hepreviouslyservedasaseniortechnicaladviserandsecurityanalystfornumerousfederalagenciesandprivatesectorfirms.Inhisfreetime,Shaneresearchesphysicalsecuritysystemsandteachesothersaboutphysicalsecuritybypassmechanisms.ShaneisaU.S.Navyveteran,whereheservedasaninformationsystemssecuritymanagerandcommunicationswatchofficerforover10years.

EthicalConsiderations

Dearreader,you’vepickedupquitetheinterestingbookindeed.Duringitscourse,youwill learnmanyfascinatingthingsaboutlocksandtheiroperationbutbeforeyoubegin,Iposetoyouthreeethicaldilemmasofvaryingdegrees:

ScenarioOneSarah is driving around town running various errands. As sheapproaches an intersection where she as the right of way, anothervehiclecutsheroff,forcinghertoswerveinordertoavoidacollision.Shemisses the other vehicle, but runs into themedian in the process,damagingoneofher frontwheels.Theothervehicledrives away, andsince she has only liability insurance, Sarah will have to pay for therepairsoutofpocket.Laterintheday,asshewaitsinthecheckoutlineatherlocalgrocerystore,sherecognizesthecashierasthedriverofthevehicle that cut her off. As her items are totaled up, she considersconfrontingthecashierabouttheincident.Sarahdecidestolettheissuedrop, and the cashier informs that her total is $76.19. She hands thecashiera$100billandreceivesherchange.Nowcountingherchange,Sarahrealizesthatshereceived$33.81inchangeinsteadof$23.81,anexcessof$10.WhatshouldSarahdo?

ScenarioTwoIt’s a beautiful day Jeremyandhis girlfriendEmily decide to visit the

localbotanicalcenterforanicewalk.Astheyenter,herealizesheforgothisstudentIDathomeandwondersifthecenterwouldstillallowhimto purchase tickets at the student pricing. A quick exchange with thepleasantladyworkingattheticketcounterrevealsthathewouldhavetopay fullprice for the tickets.Defeated,hepays for the two ticketsandproceeds with Emily inside. As they explore the various areas, Emilymentionsthatsheheardaboutanewcollectionofexoticflowersthatshewantedtosee.JeremynotesthelocationoftheSpecialExhibitsareaonthe map and they begin to navigate their way there. As the coupleapproaches thearea, they find themselvesblockedbya ropedoff areawith a sign that reads “Due to extenuating circumstances, this exhibit istemporarily closed. We apologize for the inconvenience.” Emily is visiblydisappointedandJeremyconsidersunhookingtheropeandenteringtheexhibit anyway.After all, theypaid full price for admission! Shouldn’ttheyhavetherighttoseealloftheexhibits?

ScenarioThreeWhileworking on a project in his apartmentChad is interrupted by aknock at his door. When opens the door, he finds his friend Zachstanding there, flustered.Zachexplains thathe’s lefthishousekeysattheofficeandneeds toget intohisapartment.Healreadytriedcallingthelandlord,buttherewasnoansweratthenumber.ZachknowsthatChad recently read a book about lockpicking andwas fairly skilled atopeningmanylocksthathehaspurchasedforpractice.ZachwantsChadto open his apartment door so he can get his spare key fromwithin.ShouldChadtrytoopenthedoorforZach?

Sowhatdoyouthink?

Let’slookatthefirstscenario.Howmuchoffaultandrespectiveliabilityfall on the cashier? Even though Sarah had the right of way, did shehave any other options? Did she have a different direction she couldhavetakenthecar?Couldshehavestopped?Regardlessoftheleveloffault of the cashier in regards to the car accident earlier in the day,manypeoplewouldreturntheextra$10withouthesitation.Afterall,it’snoteventhecashier’smoney.Itbelongstothegrocerystore.Evenifthescenariowasmodifiedandthedriverof theoffendingvehiclewasalsotheownerofthestore,manywouldarguethattheissueofthecarrepairandtheaccuracyofthegrocerytransactionareseparate,andshouldbedealtwithaccordingly.Nowlet’smovetothedilemmawithinthebotanicalcenter.What’s

the appropriate course of action to take there? In regards to simplybypassing the rope barrier, one must remember that in this case, thebotanical center is legally considered private property. As such, theownerof thepropertyhas the right to restrictmovementofvisitorsastheyseefit,uptoandincludingremovalofvisitorsfromtheproperty.Ifyouhadguestsinyourhomeandtoldthemthataparticularroomwasoff limits, wouldn’t you be upset if they entered anyway? It’s alsoimportanttoconsiderthepracticalimplicationsofthesign.Eventhoughtherewasn’tmuchinformationavailableonthesignastowhytheareawas closed off, there are many good reasons for such an action. It’spossible that the plants were currently undergoing special care ortreatment, or perhaps hazardous chemicals were in use. Maybe thecenterwas justsimplyshort-staffedbecauseanemployeecalled insickand they didn’t have anyone to oversee the area. Regardless of thereason, it’s clear a boundary was drawn and it’s important to respectthat.ThebestcourseofactiontotakewouldbeforJeremyorEmilytobring up the issuewith an employee or amanager, and explain their

disappointment.Themanagerwouldlikelygivethemsomedaypassestocome back at another time, or might even arrange supervised tour.Barriers aren’t oftenusedwithout cause and it’s important to considerboththeethicalandpracticalimplicationsinvolvedwithbreakingthem.

Theethical significanceof locks inour society isavery intriguingmatter.Lockshavehistoricallyhadaveryimportantandpersonalplaceinourlives.Theyareusedasameansofsecurity.Theypreventothersfrom seeing thatwhichwedonotwish tobe seen, and theykeepourproperty and families secure from intruders. The ethical issuessurrounding lockpicking are a bitmore clouded formanypeople. It isnotanissuethatisdealtwithveryoften,anditisdifficultforsometounderstand.

Formany people the interactionswith a lock fall into three basiccategories:

1.Alockisopenedwithakeybyanauthorizeduser.2.A lock is picked open or bypassed by a locksmith on behalf of anauthorizeduser.

3. A lock is compromised via picking or physical force by an un-authorizedentity(i.e.burglar).Oftentimeswhendiscussingthehobbyoflockpickingwithothers,youmaybeaskedifyouarealocksmith.Ifyouarenot,manywilllookatyouwithanoddlyandsomemaythinkthatyounefariouspurposesinmind.Afterall,ifyouaren’tusingakey,andyou’renotalocksmith,what business do you have opening locks without the key? Mostpeopleneverthinkaboutthefourthscenario:

4. A lock not being used for the purposes of security is treated as apuzzlebyanintriguedparty.

Many have tried explaining this fourth possibility, only to bemet

withincredulouslooksfriends,family,andothers.Asaresultsometimesthe situation is explained as an endeavor of research in the name ofbetter security. However, whether you choose to adopt this hobbysimplyasadiversionarypasttimeoraspartofasecurity-relatedcareer,it is essential that you are mindful of matters surrounding ethics andlaw.Inmoststatespossessionof“burglarytools”isconsideredillegalifit

canbeshownthatonehadintenttocommitacrimeusingsaidtools.Insuchcases,nearlyanythingcanbeconsideredaburglarytool,includingbut not limited to lock picks, crowbars, screwdrivers, pliers, and evenspark plugs.However, a couple states now have laws thatmakemerepossessionoflockpickswithoutalicenseacrime.Whilesuchlawsstemmostly from scammers doing business as “locksmiths” and defraudingthepublic,suchlegislationaffectsthelockpickingcommunity,aswell.It should go without saying that it is your responsibility to know

yourlocallawsregardingthepossessionoflockpicks,butingeneralifoneremainssafeandethicalregardingsuchthingsnotroublearises.ItisherethatIwouldliketointroducewhatarecommonlyreferredtointhecommunityasthetwogoldenrulesoflockpicking:

1)Donotpicklocksyoudonotown.2)Donotpicklocksonwhichyourely.

Why the two rules?Well it’s actually fairlydifficult to get oneselfinto an undesirable position if one follows these two rules. Let’s talkaboutthefirstrule.

DonotpicklocksyoudonotownInthisusage,Irefertoownershipinthestrictestsense.It’simportanttonote that there isacleardelineationbetweenownershipofa lockand

permissiontousethelock.Whenfirstlearningaboutlockpicking,manyimmediately go to the nearest lock they can find and start practicing.Oftentimesthisisanapartmentdoor,dormitorydoor,orofficedoor.Inthese examples note that one does not own any of the locks. A key isprovidedbytheownerorlandlordforauthorizedaccessasthelockwasdesignedtobeused.Thus,accesstothekeydoesnotimplyownership.Nowlet’slookatthesecondrule.

DonotpicklocksonwhichyourelyItmaynotbeimmediatelyapparentwhythisruleisimportant,butyoumust understand that it is possible for a lock to be damaged or evenoccasionally disabled by picking. Not only does repeated picking of alockputprematureandabnormalwearonthecylinderandpins,insomeconfigurations locks can become disabled or damaged in a way thatpreventstheirnormaloperation.Ifthishappenstoalockthatregularlyuse,you’venowdisabledorbrokenpartofyourownsecurity.Youmaylockyourselfoutofyourhouse,orpreventyourself frombeingabletosecure the property. Should you accidentally damage someone else’slock,you’renowresponsibleforthedamagecausedtotheirpropertyinadditiontoanylaborandrepairneededtoresolvetheproblem.

Arethereexceptionstotheserules?Inaway,yes.Ifsomeoneoffersyouoneoftheirlockstotry(forexample,apracticelockfromtheirowncollection) that is okay as long as everyone understands that there isalwaysariskofdamageorprematurewear.Ifyougetlockedoutofyourownhousebutdohappen tohavesomepicks,youmayelect to try topickyourhouselocktogetbackin,withtheunderstandingthatifyoufail,youmaydamagethelockandthelockmayrequirereplacement.Inlightofthesespecificexceptions,Ioffertheamendedrules:

1.Donotpicklocksyoudonotown,exceptwithexpresspermissionbytheownerofthelock.

2.Donotpicklocksonwhichyourely,exceptwhenrisksofdamagearefullyconsidered.

Still, it’s much easier to use the original verbiage, as most willunderstandtheimpliedexceptionsnotedabove.

Now, let us return to our friends Chad and Zach. In this case,neitherChadnorZachown the lock that isonZach’s apartmentdoor.Additionally,Zachreliesonhisapartmentdoor lock inorder tosecurehisresidence.Thismeansthatifitisdamaged,theyhavenowdamagedthelandlord’spropertyandbrokenpartofZach’s security.Chadwouldbe violating both golden rules of lockpicking if he picks the lock. Thebest course of actionwould be towait for the landlord, return to theoffice for the key, or if absolutely necessary, call a locksmith if thelandlord allows for it. Proper, trading locksmiths are insured andbonded,whichprotectsboth the locksmithand thepropertyshouldanissueariseregardingdamage.

So,dearreader,wecometothecloseofourethicaldiscussion,butnot to the end of our journey. I ask that you keep inmind all of thetopicsthatwereoutlined,andkeepinmindtheimplicationsofbeingtoocavalier with the knowledge you learn. Remain respectful of others’propertyandboundaries,andhavefun.Don’tforgetthegoldenrules:

Donotpicklocksyoudonotown.

Donotpicklocksonwhichyourely.

IhopeyouenjoythemagicoflockpickingasmuchasIdo.

BabakJavadiDirector,TheOpenOrganizationofLockpickers

Chapter1

FundamentalsofPinTumblerandWaferLocks

ChapterOutline

PinTumblerLocksWaferLocksSummary

While there are a multitude of lock designs on the market today,producedbymanydifferentmanufacturers, the bulk of these offeringsarenotinwidespreaduse.Nearlyallofthelocksthatyouarelikelytoencounteronaday-to-daybasisstemfromjustafewbasicvarieties,andthemechanismsinsideofallofthesedevicesoperateinalmosttheexactsamemanner. If you can understand the basics of just a few styles oflocks,I’mconfidentinsuggestingthatyoushouldbeabletoopenwithgreateaseatleastthreequartersofthelocksyou’relikelytoencounter…evenmore,asyoubecomemoreskilledwithtime.Theoverwhelmingmajorityoflocksthatareinusetoday,particularly

inNorthAmerica,areeitherpintumblerlocksorwaferlocks.Ahandfulofotherdesignsareprevalentincertaininternationalregions.Leverlocks,for example, are an older design originating in the 17th century withkeys that tendtobe largerandtheiroperationmorecumbersomethanmorerecentdesigns.TheseareacommonsightinEurope,centralAsia,and parts of South America. Rotating diskmechanisms are popular innorthern Europe and parts of the Pacific Rim, while some locks inAustriaandJapanfeaturemagneticcomponents.However,inallcases—evenintheregionsoutsideofNorthAmerica—itshouldbeunderstood

that these designs are usually not nearly as prominent as basic pintumblerlocksandwaferlocks,particularlyasfaraspenetrationtestingisconcerned.Typical officedoors, deskdrawers, filing cabinets, andaccesspanelswill usually be equipped by default with lower quality locks becausethey are the easiest tomass produce, the simplest to service, and themost economical to replace or re-key should the need arise. Untilfurniture manufacturers and hardware stores cease ordering bulkshipmentsoflockswithlowproductioncostsandlaxqualitystandards,wearelikelytocontinueencounteringthemforaverylongtime.

PinTumblerLocksThestyleoflockwithwhichthemajorityofpeoplearemostfamiliaristhe pin tumbler design. I realize that many of you may already besomewhat aware of this hardware (and, indeed, diagrams andphotographsofallshapesandsizesseemtoaboundontheinternetandinotherprintedworks),butIfeelitwouldbehelpfulforustoanalyzethis mechanism briefly, from the ground up, in order to properlyunderstandhowitfunctionsandhowitcanbeexploited.Pin tumbler locks come in many forms and styles and can beincorporatedintohardwarethatappearsinanumberofdifferentshapes.TakealookatthelocksinFigures1.1,1.2,and1.3.

Figure1.1 Apadlockfeaturinganembeddedpintumblermechanism.

Figure1.2 Adoorknobfeaturingakey-in-knobpintumblercore.

Figure1.3 Adeadboltfeaturingapintumblerlockinamortisecylinder.

While each lock is clearly a very different form factor, all threefunctionwithatraditionalpintumblermechanismwhichisoperatedbymeansof a simple “blade” style key, shown in Figure 1.4, the likes ofwhichyouhaveseenmultipletimesbefore.

Figure1.4 Blade stylekeys,which featurebitting cuts along their thin edge.Manywell-knownmanufacturers’keyscanbeidentifiedsimplybytheshapeofthekey’sbow.

The pin tumbler mechanism is one of the oldest lock designs inexistenceandisstillwidelyusedtoday.Let’stakeacloserlookathow

the components of these locks are made and assembled, payingparticularattentiontohowthelockattemptstoholditselfshutwithoutthe keypresent. There are twoprimary largepieces that comprise thebulkofapintumbler lock:thehousingandtheplug.Thesearethetwoitemsthatcaneasilybeseenfromanexteriorperspectiveandarethusthemostunderstood.Wewill nowwalk through themanner inwhichthesetwosegmentsarefabricatedandhowtheyfittogether.

Theplug

Theplugofapin tumbler lock is constructed fromacylindricalbillet,typically made of brass although occasionally steel is used in highqualitymodels.Oftenthefirstfeaturetobeadded,afterthemetaliscutto the requisite length, is a small divot inwhatwill become the frontface of the plug. This helps to seat and align the key during useroperation. See Figure 1.5 for a better understanding of how we shalllook upon the various components of lock hardware. On the left is afrontalview,what theuserwould typically see froma straightforwardperspective.OntherightofthediagramsinFigures1.5through1.12weseeaperspectivefromtheside.

Figure1.5 Ablankplugfeaturingthekey-seatingdivot,readyformilling.

Figure1.6 TheleftsideofthediagramsinFigures1.6through1.12willbegintofocusonacross-sectionslightlyinwardfromtheexteriorfrontfacingsurfaceofthelock.

Figure1.7 Themilledlipatthefrontofaplug.Notehowour“frontperspective”ontheleftside has reduced in size slightly, since we are focusing our attention on a cross-sectionapproximately5mminwardfromthefrontface.

Figure 1.8 The milled notch in the rear of the plug which will later accommodate aretainingclip.Somelockstylesutilizeascrew-onthreadedendcapinstead.

Figure1.9 Thekeywayhasnowbeenmilledintotheplug.Notethatitoftenextendsfullythrough the bottom of the plug. This will come into play later when we discuss pickingtechniquesandtoolplacementinChapter2.

Figure1.10 Some additionalmilling has been cut into the rear of the plug in order toaccommodateatailpiece.

Figure1.11 Fivepinchambershavebeenmilled into theplug.Ourcross-section(on theleftsideofthisdiagram)isstillfocusedonanareaapproximately5mminwardfromthefrontfaceandthusisshowingthefirstpinchamberaswellasthekeywaymilling.

Figure1.12 Fromthesideperspectiveofourlockplug(ontherighthalfofthisdiagram)weseetheadditionalholedrilledinfrontofthepinchambers.Ithasbeenfilledwithbothasteelballbearingaswellasaceramicblock.

Giventhatthebulkofwhatconcernsustakesplacefurtherinsideofthelock,wewillbegintofocusour“straightforward”view(ontheleftsideofthesediagrams)furtherinward.InFigures1.6through1.12,thatimage will correlate to a cross-section of the plug (or the lock as awhole)approximately5mminfromthefrontface.Theplugwillbemilledwithasmallliparoundthefrontfacingedge.This is dual-purpose, in that it prevents the plug from sliding inwardthrough the lock housing while also precluding a potential attacker’sinsertion of material that could penetrate the front of the lock andinterferewiththeoperationofthepintumblerswithin.Itisquitecommonforthisfrontmillingprocesstobemoreintricate,involvingadditional ridgesordeepergrooves.Again, this is topreventpiecesofthinmetalorothertoolsfrombeinginsertedandworkedintothedepthsofthelockfromtheoutside.In addition to this front lip, the rear section of the plug is alsotypicallymilledwitheitheragroovednotchorgivenathreadedendtoaccommodate a retaining clip or screw cap, respectively. Whilethreading is typically produced at the end of the process, a clip notchcanoftenappearatthistime,asrepresentedinFigure1.8.Thenextcomponenttobemilledisthekeyway.Theshapeoftheslotfor the key is called the keywayprofile. The primary reason for using

morethanasimplerectangularslotistheneedtohelpseatandalignthekey as it is inserted into the lock. The curvature present in nearly allkeyways results in protrusions ofmetal (calledwards) that alignwithdeeper cuts and bends on the key. These help keep the key level andraisedtotheappropriateheightduringoperation.The warding created in the design of a keyway has an additionalfunction. As we will see in Chapter 4, the more complicated thecurvature of the keyway profile, the more the wards will potentiallyinterferewiththeusageofpicks,snapguns,andothertoolsthatcouldpotentiallybeusedinattackingalock.A third consideration for manufacturers when designing a keywayprofileisalsooneofintellectualpropertyprotection.Ifaspecificpatternisuniqueandunprecedented,thelockmanufacturerwillenjoycopyrightprotectionofthis“newdesign”foraperiodoftwentyyears.Thisrightistypicallyleveragednotforthepreventionofknock-offorcopycatlocks,butisinfactusedbyhardwaremanufacturerstopreventtheavailabilityofunauthorizedkey blanks on the openmarket.When a design is stillrelatively new, the vendors can market that their locks incorporate“restricted keyways” for which there is not a widespread supply ofblanksavailabletothirdparties.Asyoumayhave seenwhenhavingakeyduplicatedat ahardwarestore, the large racks or drawers of uncut blank keys are not typicallyfilledwithname-brandcomponents.KwiksetandSchlagemaybeamongthemostcommonlogosstampedonourlocksinNorthAmerica,buttakea look at the actual keys in your pocket. If I were a bettingman, I’dwagerthatmany(ifnotall)ofthemareembossedwithnameslikeIlcoor Hy-Ko (or bear no markings whatsoever). This is becausemanufacturers of locksmithing components and suppliesnowprimarilyhandle theproductionand saleofblankkeys tomosthardware stores,

stripmallkiosks,andkeycopyingcenters.Whilethisoftenresults inasavings incost (passedon toconsumers,whocan typicallycopyakeynowadaysforonetotwodollars),thefloodof“unauthorized”keyblanksacrossthemarketcanhavesecurityimplications.A number of tactics for defeating a lock are feasible only if the

attackerhasasupplyofblankkeysthatcanbeinsertedintothekeyway.Bump keying and impressioning are two such methods of attack.(Impressioningisabitbeyondthescopeofthiswork,butbumpkeyingwill be discussed in Chapter 5.) Even more basic is the risk ofunauthorizedcopiesofkeysbeingmadewithoutpermission.Whileitispossible to stamp “Do Not Duplicate” onto the bow of a key, thisdirectionisroutinelyignored…particularlybynon-locksmiths.

Tip

Ifyouhaveakeythatyouwishtocopybutwhichhasbeenstamped“DoNotDuplicate,”the

easiesttacticIhavefoundistopurchaseaslip-on“keyidentifier”cover.Thesearetypically

madeofrubberandsoldinsmallpacks,ofteninassortedcolors.Placingoneovertheheadof

thekey(perhapswithadotortwoofstrongresinorplasticepoxytopreventitsremoval)and

marking some innocuous labelon there (i.e., “Grandma’sGardenShed”)willoftendissuade

closescrutiny,evenfromestablishedlocksmiths.I’veevenmadesplotchesofpaintintheright

placeandoncesaidIwasfromaschoolthathadjusthiredanewartteacherwhoneededa

keytotheclosetwherewekeepthecraftsupplieslockedup.Thelocksmithbarelynoticedthat

hewascuttingakeyforahigh-securitypadlock.

Atthisstageofproductionthekeywayistypicallymilledintotheplugblank.IhaveseenthisdoneinpersonattheEVVAfactoryinAustriaandit’sanastonishingprocess.Alargepneumaticramforcestheplugsalonga track, exposing them to a series of fixed blades in an ornate andintricately-arranged jig. As the plugs pass each blade, the slot for the

keywaygrowsdeeperandwiderandmoreintricate.Thewholeprocesstakesmereseconds.Often,additionalmillingandcuttingtakesplaceattherearendofthe

plug, in order to accommodate and interfacewith tail pieces or cams.Thesearethecomponentsofthelockthatactuallyinteractdirectlywiththeboltorlatchmechanismwhichisholdingadoorordrawershut.Remember,it’snotalock’sjobtoholdsomethingshut.Youcaneasily

preventsomeonefrom,say,accessingaparticularroomofyourhousebyapplying brick and mortar to the doorway. That will surely keepunwantedpeopleout, right?What’s theproblemwith sucha solution?The answer, of course, is that such a solidwall of stone isn’t the bestthingtohaveifyou’realsoconcernedwithallowingauthorizedpeoplein.Thatiswhatlocksattempttodoforus…theyassistingivingotherwiserobust security a means of quickly, easily, and reliably opening whennecessary. It is our deadbolts, our padlock shackles, and other similarhardwarethatactuallyprovidethemeansbywhichthingsremain shut.Ourlocksaremechanismsthatsimplytriggerthereleaseofsaiddeadboltsandshacklesat(wehope)theappropriatetime.ThereareanumberofattacksthatwewilldiscussinChapter5which

focus on ignoring the lockmechanism entirely as one seeks to simplyinteractdirectlywiththelatchorbolthardwaredeeperwithinthedoor.Manyoftheseattacksfocusonweaknessesinthewaythatthelockcore(often,therearoftheplugspecifically)interactswithatailpieceorcam.

Tip

Ifyoudisassemblealock,payparticularattentiontothemeansbywhichtheturningofthe

plug translates into turning of other components deeper inside the device. You might just

noticeameansbywhichforcecanbeappliedthatopensadoorwithouteverhavingtoturn

theplugatall!

Thefinalstageoffabricationoftheplug(usually)isthedrillingofpinchambers. These are often drilled from above, all to a uniform depth,andequidistant fromoneanother.That isbynomeansahard-and-fastrule,however.WewilldiscusssomeuniquedesignsinChapters5and6thatvaryfromthisnorm.However,onefeaturethattendstobeuniformin almost all locks is the alignment of the pin chambers from front torear.Ideally,thesechamberswillbedrilledinaperfectlystraightline…but,aswewillseeinthefollowingchapter,thatisunfortunatelyaverydifficultthingtoachievewithutmostprecision.There are some additional features that may be added to plugs by

certainmanufacturers.Itisnotuncommonforsmalladditionalchambersor holes to be fabricated near the front face of the plug. These aresubsequently filled with ball bearings or ceramic inserts that canfrustrateandimpededrillingattacks.SuchfeaturesareshowninFigure1.12.The other large component from which the core of a lock is

constructed is the housing. This contains the plug and all otherassociated smaller elements such as pins and springs.Much aswe didwith the plug, let’s take a look at how the housing is constructed inorder toproperlyunderstand its functionand rolewithin the lock (seeFigure1.13).

Figure1.13 Muchliketheplugofalock,thehousingisoftenmanufacturedfromaraw,solid billet of metal. Hardermaterials including various grades of steel aremore common infabricating the housing.A pin tumbler lock housing can come inmany shapes. Some are pearshaped (aswithmanyEuropean lockcylindersand, to somedegree, “key inknob” stylecoresusedaroundtheworld)whileothersarelarger,moreregularformssuchasovalsorcircles. Inthese diagrams, a simple round shape is shown for simplicity. One aspect that is alwaysuniversal,however,istheroundborethatiscutthroughtheminordertoaccommodatetheplugandallowforitsrotation.

Oneofthefirstcomponentstobemilledintoalock’shousingisoftenthe large, central bore that will accommodate the plug. It is typicallyfabricatedstraightthroughwithanevendiameter(seeFigure1.14).

Figure 1.14 The plug bore has been milled through the housing. As with our earlier

diagrams inFigures1.5 through1.12, the left sideof the figure shows theworkpiece fromafrontalperspective,whiletherightsideofthefiguregivesaside-viewperspective,incorporatingsomecutawayelementstothediagram.Alsoasbefore,theleftsideofthefigurewillfocusonacross-sectionapproximatelyhalfacentimeterdeepintothelock.

Anadditionalridgeismilledintothehousingattheveryfrontofthebore opening, to interfacewith the lip on the front edge of the lock’splug.Figure1.15showsthisridgefromboththefrontandsideview.

Figure1.15 Theridgemilledintothefrontoftheplugbore.

Pinchambersare thendrilled into thehousing fromthe topsurface.Aswiththefabricationoftheplug,everyattemptismadetoensurethatthesechambersareuniformandthat theyalignperfectly fromfront torear.These chambersappear inFigure1.16.Aswith our discussion ofthefabricationofalock’splug,thefigure’s“frontviewperspective”onthe left side of the diagram now reflects a point approximately fivemillimetersinfromthelock’sface.

Figure 1.16 Pin chambers are drilled vertically into the housing. Often, this stepincorporatessomemillingorflatteningoftheverytopofthehousing.

Thetwomaincomponentsofthelockarenowcompleteandreadyforassembly.Theplugisinsertedintothehousingfromfronttorear,sincethemilled lip and ridge prevent it from passing through in any otherdirection.Uponcompleteinsertion,allofthedrilledpinchambersoftheplugandthehousingshouldlineupequally,asseeninFigure1.17.

Figure1.17 Theplughasbeenfullyinserted,aligningallitspinchamberswiththosethatarefoundinthehousing.

The plug is now typically secured by the previously mentioned

retaining clipor screwcap.Figure1.18 showsa retaining clip styleofassembly.

Figure1.18 Theplugisheldsecurelybytheadditionofaretainingclip.Itcannotslipbackforward and out of the plug, nor can it pass further inward due to the milling of the frontsurfaces.

Thelockisnowreadytobepinned.Thepinsarefabricatedinaveryrudimentary process by means of milling increasingly tightening cutsintopiecesofverythinbarstock.Brassandsteelarethemostcommonmaterialsforpins.(Again,thequalityofthelockanditsoverallcostareconsiderationsthatdictateduringthedesignprocesswhatmetalistobeused.)The pins in a lock are almost always of uniform diameter, but willvary in length.Somepinswillbealmostperfectly cylindrical, save forslight rounded edges at the top and bottom, while others are quitepointed on one end. There are advantages and disadvantages to eachdesign.Occasionally,pinsarecolor-codedduringmanufacturinginordertodenotetheirsize.Thiscanbeabenefitinhelpingalocksmithsorthisor her pin kit should it ever become slightly disorganized. However,some also view the coloring of pins as a security risk, since personscould,intheory,peerintoalockfromtheoutsideusingspecializedtools

likealocksmithscopeoranotoscope(earscope)fromadoctor’sofficeandobservethepincolors,potentiallygaininginsightintowhatsizesofpinsarebeingusedinthelock.The firstpins tobe inserted intoa lockduringassemblyare thekeypins.Theyaresonamedbecausetheyrideagainsttheuser’skeyduringnormaloperationofthelock.

Note

Youwill occasionally hear people refer to these pins as “bottom pins” since they often sit

“lower”inthelockthantheircounterpartcomponents.However,thisisaverygeographically-

specificterm.ItisthenormforlocksinNorthAmerica(andsomeotherpartsoftheworld)to

beinstalledwiththepinstacksextendingabovetheplug,butthisisbynomeansnecessary.

Most locks in Europe, for example, are installed in exactly the opposite way, with pin

chambersdrilled inwhatcouldbecalled the“bottom”of theplugandthehousing. Insuch

lockinstallations,thekeypinsactuallyappeartobeontopofmostothercomponents inthe

lockcore.Intruth,itishelpfultonotthinkofthelockwiththeserestrictiveterms.Hence,this

workwillalwaysmakereferencetokeypinsandtheircounterparts,whichwewillintroduce

shortly,driverpins.Similarly,whenaddressing toolplacement,whichwewilldo in thenext

chapter, it is helpful to speakof the “outside”or the “center” of thekeywayas opposed to

termslike“top”and“bottom”whichareequallynebulous.Physicalsecurityhardwareappears

inallpartsoftheworldinstalledinboththe“pinup”and“pindown”manner,andI invite

youtojoinmeinattemptingtoalwaysadoptneutralterminologywhenspeakingaboutlocks

andtheircomponents.

In the interest of uniformity throughout thiswork, however,wewill continue to look at

locksfromthe“NorthAmerican”perspectiveindiagramsandfigures,showingpinchambers

thatarefabricatedinthe“top”oftheplugandthehousing.

Thekeypinsareinstalledinthelockandpasscompletelythoughthedrilledchambersofthehousing,comingtorestentirelywithintheplug.

Asyouarebeable to see inFigure1.19, the pins are not all of thesameheight.Thedifferingsizesofthepinsinalockcorresponddirectlyto the different cuts that are seen when observing a key. That willbecomeclearerinmoments.Beforewediscusshowthepinsallowalocktoopen, let’s firstcontinuewith theassemblyof thisexample lockanddemonstratehowsomepinskeepthelockclosed.

Figure1.19 Anassembled lock thathashadkeypins inserted intoeachchamber. IfyoufocusyourattentionexclusivelyupontherighthalfofthediagraminFigure1.19(thesideview),it may not be immediately clear what prevents the pins from “falling further through” thekeyway.However,noticeontheleftsideofthediagram(thefront-facingview)howthewidepinchambersaremilledonlyhalfwayintotheplug.Therestofthemillingintheplug(thekeyway)istoonarrowtoaccommodatethepins,preventingthemfrompassingdownwardanyfurther.

After thekeypinshavebeen installed in the lock, thenextphaseofassemblyinvolvestheinsertionofdriverpinsintoeachchamber.Thesewill drop partway into the plug, but in each chamber they shouldprotrudeoutintothehousingofthelock,asshowninFigure1.20.

Figure1.20 Thelockhashaddriverpinsinstalled.

Note how, at this particular moment, we have now prevented anymeansbywhichtheplugcanturn.Withdriverpinsstickingthroughtheplug and the housing in each chamber, the plug is effectivelyimmobilized.Thisisthemeansbywhichthecomponentsofalockholditshutwhenthereisnokeypresent.Much likewith key pins, the driver pins are sometimes called by a

number of other names… some of which derive from somewhatgeographicallynarrow-mindedpointsofview.Youwilloccasionallyhearpeople refer to these as “top pins,” but such a term has obviouslimitationsinthecontextofinternationallockswhere,aswediscussed,the entire apparatus is installed and operates from what we in NorthAmerica would call an “upside down” perspective. I have also hearddriver pins referred to by other terms, such as “set pins” or even“binding pins.” The former term is somewhat obscure and little-used,andthelattertermreallyappliesonlytotheprocessofmanipulatingorpickingthelock.Inallofthistext,thetermdriverpinwillbetheonlyoneused.Youarefreetoadoptyourownnomenclature,butagainIwillstresstheusefulnessanduniversalnatureofadoptingthisterm,whichIvalue for its neutral nature and instant comprehensionbyparties near

andfar.The final phase of assembling the lock comes with the insertion of

springsintoeachpinchamber,finalizingthecreationofpinstacks.Thewholeaffairisthentoppedbysomemeansofcaporretentionmaterial.

Note

The actual means by which the pin chambers are topped varies a great deal from one

manufacturertothenext.Somewilluseasmallplateofmetalthateitherclipsorslidesinto

position,butwhichiseasilyremovableatalatertimetoallowthelocktobeservicedandre-

keyedwithease.Otherlockswilltoptheirchamberswithplugsofmetal.Thisprocessisquick

andprovidesaveryrobustenclosureforthepinstacks,butmakesservicingatalatertimeinto

amuchmore involvedprocess. It is often still possible todisassembleand reconfigure such

locks,butadditionaltools(suchasaplugfollower)andahigherdegreeofskillarenecessary.

ThenotedLocksportenthusiastSchuylerTownestartedthe“LockFieldStrippingContest”at

theannualDEFCONsecurityconventioninthesummerof2007whichpitscontestants(both

practicinglocksmithsandamateurdevoteesalike)inaraceagainstoneanotherandagainsta

time clock to seewho can service such locks the fastest. It’s sometimes quite a sightwhen

someoneisnotcarefulaspinsandspringsgoflyingeverywhichwayunexpectedly.

The lock is now totally assembled and ready to be installed inwhatever piece of security hardware it is designed to operate. In itscurrent form as we are seeing it in Figure 1.21, this is what wouldtypicallybe called a lockcylinder or lock core. Itwould be installed in(and become the crucial component of) a deadbolt, a padlock, a doorhandle,etc.Termscangetslightlyconfusing,giventhattheword“lock”can represent all of these things, depending on the context. It is notimpropertorefertothemechanismthatholdsshutyourfrontdoor(theentiremechanism)assimplya“lock”;norisitwrongformerchantswithshelves of pre-packaged deadbolts to call these wares “locks” in their

entirety.

Figure1.21 Springshavebeenadded toeachchamberand thehousinghasbeen toppedwithaplateofmetalthatholdseverythinginplace.

Toavoidconfusion,thisbookwillalwaysseektouseasspecificatermaspossibleandtoreferenceaccompanyingdiagramsorphotographs.Inthe most general sense, an analysis of the following terms and theirdefinitionsmayservetoclarifymatterssomewhat.

• lock—any hardware device that remains in a fixed position untiloperated by a user with the appropriate physical token (typically akey)orcorrectcombination.• lock cylinder—the core component of a physical security hardwareproductwhichacceptseitheraphysicaltokenoracombinationinputand then allows turning or pressing by the user; this turning orpressing actuates a mechanism that enables the encompassinghardwareproducttoopenoryieldinsomemanner.• padlock—a physical security hardware product in which the lockcylinder is enclosed in a force-resistant body and which features ashackle(typicallymadeofmetal)thatservestoholdshutsomeotherpieceofhardwareexternaltotheentireunit(i.e.,ahasp,achain,or

adjacent plates of metal). Many padlock shackles are U-shaped andprotrudeconspicuouslyfromtheunit’sbody,whileothersarestraightoronlyslightlybentrodsthatarecontainedpartiallyorwhollywithinthelockbody.Padlocksmayfeaturearemovablelockcylinder,ortheoperatingmechanismmay be fully integrated into the body and noteasilyservicedorreplaced.•deadbolt—aphysical securityhardwareproduct that contains a lockcylinder,whichwhenoperatedbytheuserinteractswithasolidrodorflangemechanism thatdoesnot rely on spring pressure tomaintain itspositionwhenatrest.Deadboltstypicallysecuredoorsorotherrights-of-way and are designed to be robust against most forcing andbypassingattacks.•lockingdoorhandle—nottobeconfusedwithadeadbolt,somedoorknobs and door handles incorporate a lock cylinder as part of theirfunctionality. Typically, however, such door handles attempt tomaintain a closed stature by means of spring-loaded latches. Theselatchesareabletobewithdrawnbymeansofturningthedoorhandle.Thelockcylinder,ifoneispresent,doesnotinteractdirectlywiththelatch but instead provides some means (often rudimentary) forpreventing the handle from turning. Thus, in many instances it ispossibletospringopenthisstyleoflatchwithouteverinteractingwiththelockorturningthedoorhandle.Itisalsoquitecommonforthesedevicestobeofweakerconstructionoverallthandeadboltassemblies,andgivenadirectapplicationofenoughtorqueuponthehandletheycan frequently be broken and forced to turn regardless of the lockcylinder contained within, thus operating the latch and opening thedoor.

Pintumblerlockoperation

Now that we have seen how pin tumbler locks are constructed andassembled, let us examine how they function. Those who have beenfollowingalongcloselymayalreadybegin tounderstandhow thepinsandkeyinteractinatypicallockandmayalreadybepicturingwhatisabout to be described. Just to keep our terminology straight, let’sexamineatypicalkeyinfurtherdetail,asshownbyFigure1.22.

Figure1.22 Akeythatwouldoperateatypicalpintumblerlock.

Whenauserinsertstheproperkeyintoalock,thekeypinsridealongtheedgeofthekey’sblade(seeFigure1.23).Thebladetravels intothelockuntilthekeycomestoresteitherbyitstipencounteringtherearofthekeywayorbythekey’sshouldercomingtorestonthefrontfaceofthe lock. Locks that function in this manner are called tip-stopped orshoulder-stopped,respectively.

Figure1.23 Akeyintheprocessofbeinginsertedintoapintumblerlock.

Upon complete insertion in the lockmost (or,muchmore typically,all)ofthebladeofthekeywillbewithintheplug,whilethebowofthekeyremainsoutside,allowingtheusertoapplyturningpressureinthenecessary direction. The bow of the key will typically be comprisedalmost entirely of the key’s head, although in some models of lock(particularly those where the keyway is recessed in some manner, aswithcertainautomobile ignitions) thekeywillhaveadistinctly longercollar; this serves to extend the key’s head out further from the lockmechanism. The user grips the key by the head; its shape is typicallylargeenoughtoaidinthemanualapplicationoftorqueaswellasbeinga distinct enough shape and design to help differing manufacturers’productsberapidlyidentifiedataglance.When the proper key has been fully inserted into a lock, a unique

phenomenon can be observed… all of the pin stacks will have beenpushedintoexactlytherightpositionsuchthatthesplitbetweenthekeypinsanddriverpins(knownasthepinshearline)willbealignedacrosstheedgeof theplug, ineffectbecomingonewiththeplug’sownshearline.Whenthepinstacksareallinthisperfectposition,thereisnothingobstructing the plug from turning. This alignment is represented in

Figure1.24.

Figure1.24 Akeyfully-insertedintoitslock.Noticehowallthepinstacks’shearlinesareattheexactedgeoftheplug,allowingforitsrotation.

It is a common misconception that pins (particularly the key pins)withinalockcancomefromthemanufacturerinawidearrayofvaryingsizes. In fact, the key pin sizes (and the corresponding depths of thebittingcutsonthebladeofthekey)onlyappearinregular,evenly-spacedintervals. I have never encountered amanufacturerwho utilizedmorethannine or tendistinct sizes of keypin in this simple design of lock(andthus,theirkeysonlyfeaturedninepossibledistinctdepthsofcut).Manymanufacturersfabricatetheirwholelineoflockproductswithaslittleasfiveorsixpossiblebittingdepths.Thesebittingdepthscanbemeasuredandarefrequentlydescribedby

manufacturers by use of a bitting code, which locksmiths can use tofabricate new keys even if the original keys are not present. Thenumbers in a bitting code correspond to how deeply a particular cutshouldbemade intoakeyatagivenposition.The larger thenumber,thedeeperthecut.Thus,onablankkeya“zerocut”wouldnotinvolve

the removal of anymetal at all in that position. A “one cut” is just aslight cut, while a “five cut” would be considerably deeper. On thebitting code of a typical pin tumbler lock like the one we have beenconsidering in these diagrams, the numbers represent the cuts madefromtheshoulderproceedingtowardsthetip.LookatourhypotheticalkeyinFigure1.25…

Figure 1.25 A typical blade style key shown next to a scale representing possible cutdepths.(ThekeyshownhereisrepresentativeofonefromaKwikset-stylelock,butinactualitythatbrand’sdeepestcutisactualavalueof6.Manylocksdohaveascaleofbittingdepthsthatreachestoavalueof9,however.)Notethebittingcodestampedontothebowofthekey.Thisisaverycommonpractice.

Noticehowclearlyonecangainasenseoftheregular,evenintervalsbetweenthecutdepths(theverticaldepthofthecutsintotheblade,nottheirhorizontalspacingapart…whichisalsoeven).Thiskeyhascutsinallfivepinpositions,sothereareno“zerocuts”.Similarly,ifoneviewsthesmallscaleshowntotherightofFigure1.25,youwillseethatthereareno“onecuts”either.Themostshallowcutanywhereonthiskeyisinthefourthpinposition,wherethekeyiscuttoadepthoftwo.Lookingalongthebladeofthekey,proceedingfromtheshoulderouttothetip,wecanseecutsappearingindepthsofthree,five,three,two,andfour.Not coincidentally, those are the exact same numbers stamped on the

bowofthekey.Thisisaverycommonpractice.Takea lookat someof thekeysyoumighthave inyourpossession.

How many of them have numbers stamped on the bow? How manyappeartobethestraightbittingcodesshowncompletelyintheclear?

Tip

While bitting codes can be a boon to locksmiths, they alsomake acquisition of knowledge

concerning a lock’s internal construction rapid, if not instantly, possible. The stamping of

codesonkeys is quite common.Sometimesablind code is used insteadof the bitting code,

whichcorrespondsonly toanentry ina lookup tableor referencebook.Suchresourcesare

ostensiblyonlysupposedtobepossessedbylocksmiths,butthistypeofinformationhasaway

ofleakingoutintotheworld.Still,beingmindfulofwhatisstampedonyourkeysisagood

idea.Itisnotadvisabletoletyourkeysdangleexposedonyourbeltorlayunguardedinfull

view.Keepyourkeys inaprivate location,away fromcasualglances, andconsidermaking

duplicates (without anymarkings) of any keys that have clear bitting codes stamped upon

them.

Whenallof thepinstacks ina lockhavebeenpushedto theproperposition (when all of the shear lines are alignedwith the edge of theplug)thelockcanbeopened(seeFigures1.26and1.27)

Figure1.26 All pin stacks are at the proper height to align the shear line. No pins arebindingandtheplugisfreetobeturned.

Figure 1.27 The plug is being turned. In this particular case it is being turned in aclockwisedirection,fromtheuser’sperspective.

While the differences between pin sizes can seem quite small (oftenthe increment between cut depths is less than 0.01 inch or 0.5millimeter), even amisalignment of this size in a single pin stack cansometimes be enough to prevent the plug from turning. Consider theexamples in Figures 1.28 and 1.29: a key with the bitting cut in onepositionthatisasinglevaluetoodeep,andakeywithabittingcutthatisasinglevaluetooshallow.

Figure1.28 Hereweseeakeywhichhasproperlyalignednearlyallofthepinstacks,saveone.Thecutinpositionnumbertwoistoodeep.

Figure1.29 Hereweseeakeywhichhasproperlyalignednearlyallofthepinstacks,saveone.Thecutinpositionnumbertwoistooshallow.

InFigure1.28,thecutinpositionnumbertwo,thesecondoneinwardfromthefaceofthelock(thepinstackwhichissecondfromtheleftinthis diagram), is toodeep, and the correspondingpin stack is hangingtoo low. The result is that the driver pin is binding in the shear line,

preventingtheplugfromturning.Onthiskey,thebittingiscuttoacodeof36324asopposed to35324.Thatonedifference is enough tomakethekeynotfunction.InFigure1.29wehaveanotherexampleof anearly-perfect (butyetstillnon-functional)key.Thecutinpositionnumbertwo,thesecondoneinwardfromthefaceofthelock(thepinstackwhichissecondfromtheleft inthisdiagram), istooshallow,andthecorrespondingpinstackisliftedtoohigh.Theresultisthatthekeypinisbindingintheshearline,preventingtheplugfromturning.Onthiskey,thebittingiscuttoacodeof34324asopposedto35324.Again,thisisaverysmalldeviationfromtheproperbitting,butitisstillenoughtointerferewiththeoperationofthelock.Speakingofminorvariationsofakeyandhowtheymayormaynotaffecttheoperationofalock,considerforamomentthesmallpointsofmetalthatprotrudeupwardfromthebladeinbetweentheflatlandsofeachbittingcut.Theseareanaturalresultofthesizeandshapeofthecuttingwheelandthedistancesbywhicheachbittingcutareseparatedfromoneanother.Theresultant“points”thatremaininbetweenthecutsonthebladeofakeycanprovideasatisfyingseriesofperceived“clicks”as thebladerides intothekeyway(aseachpinstackpassesacross theridges),butthepointsthemselvesarenotacrucialelementofthelock’seasyandsuccessfuloperation.Intheory,onecouldfileorgrinddownallofthoseextrapointedsegmentsonthebladeofthekey(takingcaretonot disturb the specific depths of each bitting cut on their flatmiddlesection) and such a key would still be functional. It would, however,appearsomewhatodd(seeFigure1.30).

Figure1.30 ThesamekeythatwefirstsawinFigure1.24,afterhavingits“points”fileddown.Thisleavesarelativelyflat,smoothsurfaceacrosstheentirebladeedge.Notethelackofanyconspicuousriseoutbythetipoftheblade,asthebittingdepthofthelastpositioncanbemaintainedallthewayoutbeyondthetip.

Such a key wouldn’t produce as many noticeable “clicks” as it didbefore, but there is no real reason why it would fail to functionadequately when being used in a lock under ideal circumstances (seeFigure1.31).Thebittingsurfaceswouldstillpushthepinstackstotherequisitepositionsandthere’seventhepossibility that this typeofkeywouldreducepotentialwearandtearonthepinsthemselves.

Figure1.31 Akeywiththesharppointsremovedfromin-betweenthebittingsurfaces.Thiskeywillstillfunctionasfarasopeningthelockisconcerned.

Speakingofwearandtear,thereexistsonepotentialpointofdifficultywith the prospect ofmodifying one’s keys in this fashion.Most of thematerialsusedinthefabricationofalock’scomponents(particularlythemoreintricatepiecessuchaspinsandusuallyevenkeys)aresoftmetals,chieflybrass.Overtime,throughrepeateduse,thesemetalscandeform.The tips of pins (particularly key pins) can become worn down, andsmall pits or valleys can begin to develop on the bitting surfaces of akey.Manyofyouhavenodoubthadakeythatstoppedworkingreliablyovertheyears.Thatisbecausetheeffectsofwearandtearhavereducedthekey’sability toaccurately lineupallof thepin stacksat theshearlineuniformly.ConditionssuchasthesearerepresentedinFigure1.32.Whenthishappens,considerableeffortissometimesrequiredbytheusertojiggleorcajolethelockintooperating.

Figure1.32 Akeythatisdeformedthroughrepeateduse.Notethebittingcutsinthethirdandfourthpositionfromthelefthavestartedtoslopedownwardintosmall“valleys”thatcause

thethirdandfourthpinstack inthis locktobepositionedslightly too low.Thedriverpins inthosetwochambersareeversoslightlycaughtintheshearlineoftheplug.Considerableeffortwouldbeneededtogettheplugtoturninthiscondition.

Therearetwothingsthatusersoftenattempttodowhenoperatingalockwithakey that ispast itsprime:Theywill jiggle thekeyupanddown or attempt to wiggle it in and out of the lock slightly whileattempting to turn theplug.The former techniquedoesnotproduce agreatdealofmovement,given that thewardingof thekeywaygreatlylimitshowmuchaninsertedkeycanmoveupordown.Pulling the key slightly outward, however, often produces betterresults.Whyis this? Ithas todowiththose leftoverridges thatare in-betweenthebittingcutsonafreshly-madekey.ObservethebehaviorofthepinstacksseeninFigure1.33asakeyiswithdrawnslightlyfromtheplug…

Figure 1.33 A malfunctioning key, slightly withdrawn from the lock that a user isattemptingtooperate.Thepointedridgesofmetalonthekeybladethatoccur in-betweentheoriginal bitting cuts are capable of providing just enough additional lifting that the twoproblematicpinstacksarenowinapositiontobetterallowforrotationoftheplug.

Thus,whiletheremoval(bymeansoffilingorgrinding)ofthepointy

ridgesinbetweenthebittingcutsonone’skeymaymakeoperationabitmoresmooth (andpotentiallymay reducehowmuchpoking intoyourthigh thatyou feel fromwithinyourpocket), Idonot feel it isalwaysthe best course of action to modify your keys in this manner. Whileslightly rounding off the sharpest edge at the tops of each little ridgemight help to reduce the stress on your lock’s pins and make forsmoother operation, that’s about as far as I’d go when it comes tomodifyingkeysforeverydayuse.

WaferLocksThe secondmost common style of lock that is encountered in the realworld, particularly in business environments, is the wafer lock (seeFigure 1.34). These seem to present an interesting puzzle for manytraininginstructorsandauthorsofbooks.Manywaferlockswhichcomepre-installed in office furniture are so unsophisticated (and,consequently,sotrivialtoopeninmostinstances)thatanumberoftextsandtrainingclassesseemtoeitherskipthementirelyorgivethemjustabasicoverviewtreatment,whichcanbeoftensummarizedas,“Youjustsort of rake them and they pop right open.” There are a fewmanufacturers who produce wafer-based locks of considerable qualitywhichdoofferahigherdegreeofsecurity.TheMiwacompanyofJapanandtheIllinoisLockCompanyaretwosuchexemplars.

Figure1.34 Waferlocksintheirmosttypicalformfactor.

Whileitistruethatmostwaferlocksarehardlyhigh-securityandthattheytypicallyposenosignificantchallengetoanyoneattemptingcovertentry, it is unfair (particularly to those just starting out) to gloss overthistopicentirely.Theseare,afterall,thesecondmostcommonstyleoflock in use in office buildings and they are inevitably “protecting”sensitive materials like paperwork, backup media, essential wiring,serverracks,andwiringcabinets.Forthatreason,wewillnowcoverasolidoverviewofthisstyleofhardware.Wafer locks are often found in places where a cheap and semi-effectivemeansofpreventingaccidentalopeningoroperatingsomethingis necessary. They are typically sourced and implemented by themanufacturers of furniture or other such equipment. For this reason,these pre-installed locks are almost always made exceedingly cheaply,withlow-qualitycomponentsandvery loosemachining tolerances.Andyet,suchlockswindupprotectingasurprisingnumberofresourcesthatcouldbeconsideredcritical,asseeninFigures1.35and1.36.

Figure1.35 Awaferlockonthecoverofasurveillancecamera.

Figure1.36 Awaferlockonanalarmpanel.

Wafer locks are common sights on access panels (especially thoserelating to electrical power and circuit breakers) as well as office

furniturelikedesks,filingcabinets,etc.Manyautomotivelocksarewaferlocks,aswell(seeFigure1.38).Wafer locks are also often employed as electrical switching

mechanisms,eithercompletingorbreakingacircuit.Sometimesthiscanbe as simple as controlling the lights, thermostat, or exhaust fan in aroom where casual passers-by shouldn’t be able to change theenvironmentalsettings.However,equallycommonisthesightofawaferlockenablingordisablinganelectronickeypad,theoverridemechanismonacashregister,or(asshowninFigure1.37)theoperatingbuttonsofanelevator.

Warning

Ifyouneedtoprotectcriticalareasofyourfacility,thisisnotameansofachievingthatend.

Figure1.37 Anelevatorusingwaferlockstoregulateaccesstocertainfloors.

Figure1.38 Thegreatbulkofautomotivelocksarewaferlocks,aswell.

Let’stakeacloserlookatwaferlockstounderstandhowtheyperformandhowtheydifferfromthehardwarethatwehavealreadyexamined.The keys of a wafer lock often appear to be quite similar to those oftraditionalpintumbler locks.And, ifobserveddirectlyfromtheirfrontface,waferlockscanoccasionallybehardtoidentify(seeFigure1.39).After all, likepin tumbler locks, theyoperatebymeansof aplug thatrotatesalongasimpleaxis.

Figure1.39 Awaferlockcanhavetheappearanceofapintumblerlockwhenviewedfromthefront.Thereisakeywaywhichfeaturesonthecenterofaplugwhichturnsduringoperation.Perhapstheonlythingthatmightlookabitdifferentfromaconventionalpintumblerlockistheparticularly“flat”edgeonthebrassbitsseenwithin…thatisbecausetheyarenotpins.

However, an aspect of a wafer lock’s construction that differssignificantly from a pin tumbler lock is almost immediately apparentwhenthemechanismisviewedfromanoff-angle.Theverylargetailpiece(knownasacam)whichfeaturesontheend

of the plug can be clearly seen from this angle in Figure 1.40. Whatcannot be seen, however, is any large housing surrounding the plug.Notice in Figure 1.41 how the wafer lock’s housing is almostnonexistent.Ifthiswereapintumblermechanism,therewouldhavetobeamuchlargershellcontainingroomforpins,springs,etc.

Figure1.40 Awaferlockthathasbeenremovedfromitsinstallation.

Figure1.41 Ifthiswereapintumblerlock,therewouldbealargerhousingcontainingpinstacks.

Waferlockconstruction

Wafer locks are constructed and operate in a much simpler andrudimentarymannerthanpintumblerlocks.Letusnowstepthroughtheprocess bywhich the few components are fabricated andobservehowtheyinteract.

Note

WhilethediagramsinFigures1.42to1.49willproceedtoshowhowsuchhardwarecanbe

manufactured by drilling and milling, it should be understood that most wafer locks are

produced by much cheaper means, such as casting from simple metals or even injection-

moldingofplastics.Still,tocontinuethethemeestablishedearlier,astep-by-stepprocesswill

beshowninthesediagrams.

Figure1.42 Awafer lock’shousingconsistsofasimplecylindricalpiece,oftenfeaturingaliporcollararoundthefrontedge.

Figure1.43 As with the earlier diagrams in Figures1.6 through 1.12 that discussed pintumblerlocks,thecross-sectionview(appearingontheleftsideofthesefigures)willrepresentasegmentofthelockapproximatelyfivemillimetersinwardfromthefrontface.

Figure1.44 Awafer lock, like locks seen in the sectionon thePinTumblerdesign,hasalongchannelrunningthroughthehousingtoaccommodatetheplug.Anadditionalmilledlipinthefrontistypicalinallmodels,sinceplugsareinstalledfromthefrontandsecuredintherear.

Figure1.45 Channelsarecreatedwithinthewallsoftheplug,sometimesinjustoneortwoplaces, but there can be up to four inmost typicalwafer locks. These channels dictate thepositionsatwhichtheplugcanbeheldinplaceandwherethekeycanberemoved.

Figure1.46 Aswiththehousing,thesediagramswhichdescribetheconstructionofawaferlock’splugwillincorporateacross-sectionviewontheleftsideofthefigure.Thatviewwillrepresentanareaapproximatelyfivemillimetersinwardfromthefrontfaceofthelock.

Figure1.47 Thethin,squarecutchambersinawaferlockplug.

Figure1.48 Eventhekeywayofawaferlocktendstobeverysquareandrudimentary.

Figure1.49 Theplugofawaferlockinsertedintothehousing.

It looksquitesimplistic, indeed…butoncewereviewthemannerinwhich theplugofawafer lock is constructed, the functionality shouldbecomeclear.While theplugofawafer lockdoes incorporateakeyway, thereare

few similaritieswith pin tumbler locks beyond that. Themilling is farsquarer and, as we shall see, the chambers are much thinner andsimpler.The plugs milled into a wafer lock do not accommodate rounded

components (like the pins of a traditional lock) but instead are fittedonlywiththin,flatsegmentsofmetal…theeponymouswafers.Themeansbywhichawaferlock’splugisheldstationarymuchofthe

time,butallowedtorotateeasilywiththeuseofakey,comefromhowthewafersareshapedandinstalled.Let’sfirstjusttakealookatasinglewafer,installedinthelock,seeninFigure1.50.

Figure 1.50 A wafer has been installed in the first chamber. Spring pressure keeps itpressedtotheouteredgeoftheplug.

(Fromthisperspective,onecouldsaythespringkeepsthewaferata“downward”position.)

Whenthelockisatrest,thewaferpreventstheplugfromturningbyhanging“down”intothe“lower”channelofthehousing.Liftingofthewafermakes it clear the lower channel, thus allowing rotation of theplug.However,theliftingcannotbeindiscriminate;ifraisedtoofar,thewafer’sotherprotrudingedgewillextendintothe“upper”channel,thusblockingmovementoftheplug.

Waferlockoperation

Inorder toaccommodatekeys thathavebittingcutsofvaryingheightacrosstheblade,manufacturersproducewafersfortheirlocksthathavethe central, rectangular hole in differing positions (see Figure 1.51).Thus, the locks can be keyed to various (albeit, rather limited) bittingcombinations.

Figure1.51 Variouswafersthatcouldbeinstalledinawaferlocktoallowbitting.

By varying the position of the cut within the wafer, it varies thedegree towhich thebladeofakeywill lift thepieceofmetal.Hence,keys can have a series of discrete cuts. As with pin tumbler locks,however, the possibilities for variation aremechanically quite diverse,butinpracticeitisrareforwaferlockstohavemorethanhalfadozenpotentialbittingdepthsonthebladeofthekey.AfullyassembledwaferlockisshowninFigure1.52.Notethelackofconsiderablevariationinthepositionsofthekeycutswithinthewafersthemselves.

Figure 1.52 A wafer lock, fully assembled. Notice the varied positions of the key cutswithinthefivewaferscontainedintheplug.

Ihavesaidthatitisslightlybeyondthescopeofthisworktoexamineingreatdetail the tailpiecesor camson the rearofplugs.Wafer lockstend to be simple enough for us to continue in this vein. The onlysignificantandnotablefeaturethatsometimesappearsontheirtailsideisarotation-limitingbit.Unlikepintumblerlocks—whichalmostalwaysallowforplugrotation ineitherdirection, limitedonlyby thepossiblepositions of movement of the bolt or release latch or whatevermechanism the lock is operating—a great number of wafer locksincorporatefeaturesthatlimitwhichdirectionandhowfartheplugcan

rotate regardless of whether the lock is installed or whether the tailpiece is contacting anything. This small bumper bit and cam washersystemisshowninFigures1.53through1.55.

Figure1.53 Therearsideofawaferlock,showingtheplugrotationlimiter.

Figure1.54 Therearsideofawaferlock,highlightingthenotchedpluglimitingwasher.

Figure1.55 Therearsideofawaferlock,highlightingthepluglimitingbitonthehousing.

One last consideration regarding wafer locks has to do with themanner inwhich theycanbe serviced.Thebulkofwafer lockson themarket fall into one of two categories: locks that cannot easily bedisassembled and serviced, and locks whose tail pieces can beunscrewed, which then allows the plug to fall forward out of thehousing.

Tip

You shouldbeaware (particularly if youperformany covert entryworkduringpen testing

jobswheretimeisof theessenceandyouareconcernedabout leavingbehinddetectableor

noticeablesignsafterthefact)thatthereisalesser-knownthirdtypeofwaferlock.

Believeitornot,occasionallyamanufacturerwilldesignawaferlockthatcaneasilybefieldstrippedandevenre-keyed.Onre-keyablewaferlocks, there is an additional wafer at the far rear position within theplug. While most wafers in a lock are equidistant from one another,often times this special “controlwafer” is separated by a greater thannormaldistancefromtherestofthewaferpack(seeFigure1.56).Mostusers’ keyswill never reach deep enough into the lock to contact this

waferanditwilltendtoneverbepushedoutofitsdefaultposition,evenwhenthelockisoperating.

Figure1.56 Awaferlockfeaturinga“controlwafer”deepwithintheplug.Noticethattheforward-perspectivecutawaydiagram(onthe leftsideof this figure) focusesatamuchdeeperpointthannormal:thepositionofthecontrolwafer.

Onsuchare-keyablewaferlock,thetailpiecedoesnotscreworfastendirectlytotheplug,butsimplyalignsandsnapstogetherbymeansofasquareorhexagonalhole. If the controlwafer is lifted (bymeansof aspecialized key that not only acts upon the regular wafer pack, butwhich is also long enough to reach this last, deepestwafer), then theentireplugisfreetoslideoutwardandberemovedfromthehousing.Itisthenpossibletoselectadifferentwaferplug,anduseasimilarcontrolkeytoinstallit.I do not know of this feature being used necessarily with great

frequency.However, it has some very real implications to the field ofcovert entry…namely, if you’re not careful you can start out trying toquietlyandquicklyopen,say,adeskdrawerandwindupinsteadwithhalfthelockpoppingoutintoyourhandsorrollingacrossthefloor.The

desk can be unlocked if you reach into the large hole that has justappeared,butnowyouhavetheproblemoftheejectedplugwithwhichto contend. Such amatter is easily resolved, however, andwith somededicated pressure in the right spot (lifting the control wafer just therightamount)youcanslip theplugback inand it should lock into itsoriginalposition.

Betterwaferlocks

Not all wafer locks are this rudimentary. Most (indeed, I would say“almost all”) wafer locks offer little in the way of security, howevertherearea fewstandoutswhichwehaveencountered that trulybreakfromthistrend.ShaneLawsonpointedouttomethatduringhistimeinJapan,heoften encounteredwafer locksprotectinghomes andoffices.Produced by theMiwa company there in the Land of the Rising Sun,they are anything but weak or cheap. Also impressive, due thecomplexity of wafers and the sheer number installed, is the Duo lockproduced by the Illinois Lock Company (see Figure 1.57). I have alsoobservedelevatorcontrol locks featuringanatypically largenumberofwafers(seeFigure1.58).

Figure1.57 Twopairsofwafers(left)andtheentirewaferpack(right)inaDuolock.Thisisnotyouraveragewaferlockatall.

(Photocourtesyofdatagram.)

Figure1.58 AwaferlockusedasacontrolswitchinaDoverelevatorcab.Whileitdoesn’thavequiteasmanywafersastheDuolockshowninFigure1.57,itisstillimpressivecomparedtoan“average”waferlock.

SummaryThis chapter has exposed you to the inner components of the mosttypical styles of lock in use today. By seeing how the pieces of pintumbler locks andwafer locks are fabricated, you are better suited tounderstand how and where imperfections can develop duringmanufacturing.Itisthesesmallflaws,whichwewilldiscussinthenextchapter,that

makepickingpossible.

Chapter2

TheBasicsofPicking—ExploitingWeaknesses

ChapterOutline

ExploitingWeaknessesinLocksPickingwithaLiftingTechniquePickingwithaRakingTechniqueSummary

Nearlyallmechanicallockshaveweaknessesthatmakethemsusceptibletopickingattacks.Thischapterwillexaminethetypesofflawsthatarecommonlyfoundinthelockspeoplerelyondayinanddayout.Varioustechniquesforexploitingtheseflawswillthenberevealed.

ExploitingWeaknessesinLocksWehavediscussedthemanner inwhichthemost typical locksused inour world are assembled and how they function under normalconditions. It is essential to understand, however, that “normal”conditionsareoftenanythingbut.Thereareanumberofwaysthatlockscanfailtooperateastheirdesignersexpected.Smallimperfectionsinthemanufacturing process, unanticipated interactions between adjacentcomponents,andevensimplytoomuchspace intowhichunauthorizedtoolscanbeinserted…allofthesefactorscancausealocktobeeasilypickedorbypassed.

Manufacturingimperfections

Companies in the lock industry are similar to other enterprises in the

realmofmanufacturing.Theyseektobringaproducttothemarketplacethat consumers will purchase, and they wish to do so in a way thatyields themaximumpotential profit. There are primarily twoways ofdoing this: Offer a high-quality good that can command a substantialprice tag, and make production as economical as possible to reducecosts. These aims are often somewhat incompatible, and a greatmanycompanies (particularly companies who are in the business ofmanufacturing a wide array of goods, including hardware that is notdirectlyrelatedtosecurityneeds)tendtofocusonthesecondprinciple.Byreducingoverheadandsupplyexpensesasmuchaspossibleontheirfactory floor, their entire line of products can be fabricated for lessmoney and yield a higher rate of return. Unfortunately, most typicalcost-saving measures that can be implemented by manufacturers ofhardwaregoodstendtocompromisetheefficacyofconsumeritemssuchaslocksandsecurityproducts.The two key ways in which costs can be saved during the lockmanufacturingprocesspertain to thequalityofmaterialsusedand themethodsbywhichtheyarefabricatedintothenecessarycomponents.

Choiceofmaterials

Thequestionofwhatmaterials shouldbeused forvariouscomponentsofa lock isnotas straightforwardas itmayseem.Thereareofcoursethemostbasicfactorssuchassupplycost(stainlesssteelversusbrasscanbequiteadistinct lineonacompanyspreadsheet),but thedecision touse a specificmaterial also has ramifications that are felt through theentirefabricationprocessandeventhefinalproduct’slifecycle.Theharderametalis,themoreresistanceitwilldemonstrateduringmachining. Cutting the varied angles and depths necessary to create akeyway down the middle of a lock’s plug, for example, will require

considerably less force if brass is being used as opposed to hardermaterials.Usingamaterialthatcanbemoldedorcastasopposedtocutwill also change how easily and how quickly a component can beproduced.Ofcourse,allofthesesameconsiderationswillalsoaffectthequality of the resultant components. Pitting, scratching, and otherblemishes can result on parts which are produced from lower-costmaterialsorbymeansofless-intensiveprocesses.

Cuttinganddrilling

Even when milling and drilling is a part of a lock’s production, thechoicesthatthemanufacturermakeswithconsiderationsofcostinmindcanaffectthequalityandsecurityofthefinalproduct.Forexample,theverticalchambersofa traditionalpin tumbler lock(thatareseparatelydrilledintoboththeplugandthehousinginordertoaccommodatethepin stacks) are often produced by means of a work piece advancingalong an assembly line, being held temporarily in a clamp, and thenbeingsubjectedtofivebriefpenetrationswithadrillbit.Eitherasinglebitisrapidlyadvancedandinsertedbymeansofnumericallycontrolledequipment or a largedrill jig equippedwith an array ofmultiple drillbits held in close proximity to one another completes this task. If acompanyelectstonotformtheirpintumblersbyacastingmethod,theyare often manufactured by advancing a piece of rod stock through amillingmachine as a blade rapidly cuts concentric rings of decreasingsize,asifturningapieceoffinewoodworkonalathe.In all of these circumstances, the instruments used in drilling andcuttingintothemetalwillwearout.Anytimespentbringingproductionto a halt in order to perform maintenance and replace parts is ahindrance to profit. Similarly, the replacement tool components alsocontributetooverallcost.Manycompaniesseekingtomaximizerevenue

will push their manufacturing equipment to its maximum potential,perhapsreplacingdrillbitsonlyaftertheyhavebecomeveryunreliableorrunningmachinesataveryfastpacewhileallowingforsomeslightlyloosertolerancesinthefinalshapeandsizeofthefinishedpieces.Such cost-cutting methods may not yield results that are very

detrimentalifacompanyisproducinghingesorshovelsoranyoneofathousandotherconsumer itemsthatweseeontheshelvesofour localhardware store.When is the last time you squatted downby a box ofcarriageboltsandmeticulouslypickedouthalfadozenthatyoufelthadnoblemishesormarrededges?You’renot shopping for eggs, after all.However,thesesortsofsmallimperfectionscanhaveaveryrealimpactontheusefulnessandefficacyofaproductsuchasalock.Blemishesandpitting on the pins, or slightly off-center or misshapen milling ofroundedpartsandroundedholes…alloftheseveryminorissues(someofwhicharebarelyvisible to thenakedeye ifyou inspecta lock)canadduptoserioussecurityweaknesses.

Mechanicalimperfectionsleadtosecurityweaknesses

Let us consider some of themost commonways inwhichmechanicalimperfectionscanpresent themselves intypical locksandthuscometounderstandhowlockpickerscanexploitthem.Picturethecomponentsofapintumbler lock, inparticular theplug.

Figure2.1showsusatop-downviewoftheplugontheleftside,nexttothewholeassembledmechanism.

Figure2.1 Imagine a disassembled pin tumbler lock from a top-downperspective of theplug.

In a world with no mechanical imperfection and utterly perfectmaterials used in all instances, the pin chambers would be alignedperfectly. In such an ideal world, all the pins would be fabricated toexactly the same diameter, and the plug channel would not allow foranythingotherthanperfectrotationdowntheprecisecenteraxis.As shown in Figure 2.2, in this idealized (and, in practice,unattainable) lock, anyattemptmade to rotate theplugwithoutakeypresentwouldcausethedriverpinstobindintheshearline…andtheywoulddosowithaforcethatwasperfectlyandevenlydistributedacrossallthepinstacks.

Figure2.2 Inaperfectworld,alldriverpinswouldbindwithexactlythesameforce.

We do not live in a perfect world, however. At some point, acomputer-drafted diagrammust be sent down to a machine shop andactuallyproducedusing realmaterials,not justonesandzeroes.Whenthathappens,andwhenthemanufacturingcompanymustconsiderjusthowandwhere theywant to try to cut costs, these tiny imperfectionsstart to crop up. In the real world, when a lock finally rolls off theassemblyline,itscomponentslookmuchmorelikethoseseeninFigure2.3.

Figure2.3 A lock intherealworld.Notice(inthetop-downviewonthe leftsideof thisdiagram)theslightlymisalignedandmisshapenpinchambers.Thishappenstosomedegreeinallmechanicallocks.

Althoughthebestmanufacturersattempttofine-tunetheirequipmentandproducepartswithout flaws,somesubtleblemisheswillalwaysbethere, even if they are not easily detectablewith the naked eye.Mostlocks, if you look closely, will exhibit at least a few signs of suchimperfection.Manyproducts, in fact,willbeglaringlydeficient in theirquality control. Figures 2.4 and 2.5 are photographs of the plug andpins,respectively,ofabasicoff-the-shelflock.Thesephotosweretakenwithout the lock ever having been used so much as a single time.Nothing seen here represents wear and tear but is simply arepresentationoftheproductasitcamefromthemanufacturer.

Figure 2.4 A close-up view of a plug from a typical off-brand lock. The considerableimperfectionofthepinchambers(inbothalignmentandfinishingaroundtheedges)istheresultofmanufacturingonly;thelockhasneverbeenused.

(PhotocourtesyofAustinAppel.)

Figure2.5 Aclose-upviewofthepinsfromthesameunusedpadlock.Thedeepscarsandotherblemishesonthepinsarenottheresultofabuseinthefield.Thepinscamethatwayfromthefactory.

(PhotocourtesyofAustinAppel.)

All of these imperfections cause the following critical situation toarise: When rotational force is applied to the plug of a lock, themechanisms designed to prevent turning (pins,wafers, etc.) do not allexperiencethesamedegreeofforce.Mostofthetime,theforceisbornebyvery fewof the lock’s internalmechanisms. Inmanycases,a singlepin stack (whicheverpin stack is themostmisaligned and is closest tothewallofthehousinginwhicheverdirectiontheplugisbeingturned)will bind, while the other pins simply sit in their chambers withoutmakinganysignificantcontactonanysurfacesintheshearline.Figure2.6attemptstoshowtheeffectofattemptedclockwiserotation(from the perspective of someone facing the front of the lock) of theplug.Thefourthpinstackchamberintheplughappenstobethemostsubstantially misaligned in a way that favors the right side, thus thedriver pin stack in that chamber (provided the driver pins weremanufactured to ratheruniformsizes)willbe the firstone togeneratebindingforce.Attemptingtoturnthepluginanalternatedirectioncouldpotentiallyhavetheexactoppositeeffect,orsomethingentirelydifferentcould takeplace.Since thesemechanical imperfectionsarenot justtheproductofalignmentbutalsohavetodowiththeshapeandsizeofpins,chambers,andothercomponents…themannerinwhichthelockbindsvariesineverycase.

Figure2.6 Anattemptmadetorotatetheplugofalock,causingonepinstacktobind.

A series of half a dozen locks produced one after the other on anassembly line, all by the same manufacturer, will exhibit differentbehaviors.Theoneconstantthatcanusuallybecountedonisforalocktohave a specificbinding order. That is, themechanical flaws inside alocktendtoremainrelativelystatic(althoughwearandtearcanchangethings somewhat) and one person’s picking experience of a lock willlikely be similar towhat is felt by the next person to attempt pickingsaid lock. We will examine binding order in more detail in the nextsection,“PickingwithaLiftingTechnique.”

PickingwithaLiftingTechniqueConsiderwhatishappeningmechanicallywiththebindingpinstackofalockwhen rotation of the plug is attemptedwithout a key. Figure 2.7showsamoredetailedviewfromtheforward-facingperspective.

Figure 2.7 A binding pin stack, viewed from a forward-facing perspective. Clockwisepressureisbeingappliedtotheplug.

Whentorsionisappliedtotheplug,averysmalldegreeofmovement(oftenalmostimperceptibletothenakedeye)willtakeplace.Theplugwill turn, perhaps a fraction of a degree, and the driver pin of thebinding pin stack will become pressed against the walls of the pinchamberinboththeplugandthehousing.Whiletheplugcannolongermoveanyfurther,thereisstillroomfor

adifferenttypeofadditionalmovementwithinthelock.Thepinstackisstillfreetomoveupanddownwithinitschamber.Granted,thepressurethatisbeingappliedtothelockwillcausefrictionagainstthedriverpinas it binds in the shear line. However, if a proper pushing force isappliedtothepinstack(andifthetorsionalforcebeingappliedtotheplugissoftenough,thuslighteningthefrictionexperiencedbythepins)thestackwillbegintomovevertically,asshowninFigure2.8.

Figure2.8 Abindingpinstackthatisbeingliftedbymeansofforceappliedfrombelow.

If this motion continues, notice what will eventually happen. AsshowninFigure2.9,enoughverticalmotiononthepartofthepinstackwill inevitably cause it to finally reach itsproperoperatingheight—theheight to which it would have been raised had the proper key beeninsertedintothelockbyanauthorizeduser—andatsuchatime,thispinstackwillnolongerbebinding.

Figure2.9 Aftersubstantiallifting,thispinstackisnolongerbinding.

Whenthismomenthasbeenreached,anumberofthingswillhappensimultaneously.Firstly,theplugwillmanagetorotate…notenoughto

open the lock (notnearlyenough so…perhapsnot evenenough tobeobservedeasilywiththenakedeyefromanexteriorperspective),butitwillhappen.Thisrotationwillceasewhenthelockbeginstobindonyetanotherpinstack.(Itwill tendtobeginbindingagainonwhateverthenextmostmisaligned pin stack is in that direction.)However, anothercritical occurrence will have also taken place in this moment. Lookclosely in Figure 2.9 and you will see how the plug, now that it hasrotatedeversoslightly,willhave“captured”thedriverpin.Thedriverpinisnowheldupinthehousing,justbarely,bycomingtorestontheprotruding lip at the top of the plug’s pin chamber. Even if liftingpressureisnolongerappliedtothatpinstack,thedriverpinwillnotslipback down into the keyway (as long as some rotational force is stillbeingappliedtotheplug).In this condition, that particular pin stack has been set. The process

overall of applying tension, lifting, and clicking into position is calledsettingapinanditisthebasisofallpintumblerlockpicking.Alockpickerwouldnowbefreetosetthenextbindingpininthelock,

and thenext one, subsequently removing eachone (individually) fromtheequationuntiltherearenoremainingpinstackswhicharebindingandthe plug is free to turn. The series of diagrams and photographs inFigures2.11through2.27illustratesthisprocess.When picking a lock, the first step is the application of tension (by

meansofrotationalforceupontheplug)withatensiontool.

Note

Tensiontoolsareknownbyavarietyofothernames.Perhapsthesecondmostpopularterm

for this piece of picking equipment is the name “tensionwrench”. Imyself have used this

phrasinginthepast,ashavevirtuallyallofmyassociatesandfriendsatonetimeoranother.

The use of theword “wrench” anywhere in reference to this tool, however, probably does

moreharmthangood…especiallyasfarasnewlearnersareconcerned.Notonlydoesitinvite

anevenfurthermuddlingofterms(occasionallyyou’llhearsomeonegetparticularlymixedup

andsay“torquewrench,”especiallyiftheymakeapastimeofautomotiverepair),butitalso

givessomeindicationthatthetoolissupposedtoaidintheapplicationofconsiderableforce

tothelock.Nothingcouldbefurtherfromthetruth.Atensiontoolshouldbeappliedasgently

aspossiblewhenlockpickingisattempted.Forthisreason,Idiscouragepeoplefrombeingin

thehabitofusingtheword“torque”orcallingthisitema“wrench”or“spanner”oranything

soforceful-sounding.OurgoodfriendandTOOOLchapterorganizerWalterKiczkopointedout

that “torsion tool” and “turning tool” arebetter names, given thenatureof the forcebeing

applied. Iwouldsupport thatdefinitionfromapurelytechnicalstandpoint,but I feel thata

greatdegreeofgrowingandevolvingoflanguageamonglockpickerswillbenecessarybefore

thatspecificphrasingreceivesthewidespreadacceptancethatitdeserves.Fornow,“tension

tool” or just “tensioner” are the terms I tend to use, and that is the terminology that will

appearinthistext.

Figure 2.10 shows a tension tool inserted into the plug of a lock inwhat is perhaps the most typical manner, at least for lockpickers inNorthAmerica.Ourkeywaystendtobesomewhatwiderandoffermoreroominwhichtoworkthansomeof the locksonemightencounter inEurope.Consequently,these“edgeoftheplug”tensionersarethemostpopularandappearmostfrequentlyinpickkitssoldandusedinNorthAmerica.(Otherstylesoftensiontoolwillbediscussedmomentarily.)

Figure2.10 An“edgeoftheplug”tensiontoolinsertedintoalock.

Whengentlepressureisappliedtothehandleofthistool,itwillcausearotationalforceupontheplug.Thiswill,consequently,causeabindingforcewithinthelockasoneofthedriverpinsgetscaughtintheshearline.The other tool used in this process is, quite obviously, a pick tool.Thesecomeinawidevarietyofsizesandshapesandareavailablewithawholehostofdifferenthandlesandergonomicgrips,buttheyvaryfarlessinfunctionthantheydoinform.

Note

Somemight argue that tension tools, since they are part of a “lockpick set,” are also “pick

tools” in the broadest sense of theword. This bookwill reserve the term “pick” and use it

exclusivelytorefertotheimplementsthatapplypressuretopinsorotherretainingelements

within a lock and manipulate them into position. Tensioners are no less essential to the

process of picking open a lock (indeed, many of us feel that they are the most essential

componentof theequation,particularlyas farasone’s skill and finesseare concerned),but

theywillalwaysbedesignatedbythatname,oras“tensiontools,”inthetextofthisbook.

As we shall see, the bulk of all pick tools are either lifting picks orrakingpicks.Wewilldiscussthesetermsandtechniquesingreaterdetailtoclarifythingsfurther.Theliftingpicktoolisalignedwiththebottomofadesiredpinstackandsimplypressedupward.Somelockpickerswillraisetheentirepickvertically,whileotherswillattempttomovethehandle(outsideofthelock)downward,thuspivotingtheshaftofthepickonthebottomofthekeyway and causing its tip to move upward. Neither technique isparticularly “right” or “wrong” and each has advantages anddisadvantages.

Note

Youwillseethatlineofreasoningalotwhenitcomestolockpicking.Ifatechniqueworksfor

you, by all means use it. Often you will find that many “simple” techniques are the most

effective tactics when facing cheaper, weaker locks but that the tighter spaces and better

engineering of higher-quality locksmake such techniques less effective on other occasions.

Thatdoesn’tmeanthatonewayis“better”thananother…butratherthat it ismoreor less

useful incertainsituations.Perhapsthehealthiestthingonecandoisalwaystrytokeepan

openmindandnevergetsoaccustomed toa single technique that itbecomesahabitone is

incapableofbreaking.

Ingeneral, the“rocking”ofapickcanmake liftingpinstackseasierand more controlled, but it is not always possible to do this in tightspots.Also,ifan“edgeoftheplugtensioner”(suchastheoneshowninFigures 2.10 and 2.12) is being used, rocking the pick downward caninterferewith the clean and even application of sustained pressure ontheplug.Itcanknockthetensioneroutofitsrestingplaceorotherwise

complicatematters.

Figure2.11 Withtensionappliedtotheplug,adriverpin(inthiscase,theoneinpositionnumberfour)beginstobind.

Figure2.12 Alockthatnowhasbothatensiontoolandapicktoolinserted.

Figure2.13showsaliftingpick(inthenextfifteendiagrams,abasichook-shapedpickofmediumreachingdepthisrepresented)approachingthefirstpinstack.

Figure2.13 Tension isbeingapplied,andahookpick isapproaching the firstpinstack,whichwillthenbeliftedupward.

Since thispin stack isnotbinding, little resistancewillbe feltwhenthepickispressedupintothestack.Theliftingwillbeinhibitedonlybytheveryslight(butstillnoticeable)pressureofthespringatthetopofthestack.

Note

AsmentionedinChapter1,termssuchas“up”and“down”or“top”and“bottom”canbeabit

problematicwithrespecttohowlocksareinstalledandoperatedaroundtheworld.Thistext

willcontinuetoaddresslocksfromaNorthAmericanperspective,althoughwheneverpossible

generictermsthatapplyuniversallywillbeused.

Figures2.14and2.15 show thehookpick lifting the first pin stack.Thishasnoeffectonthesituation.

Figure2.14 Liftingthefirstpinstack.Nobindingtensionisfeltandthereisvirtuallynoresistancetotheliftingforce.

Figure2.15 Furtherliftingofthefirstpinstack.Ithasnowbeen“overlifted”atthistime,meaningtheshearlinehasbeenpassedandnowthekeypinisprotrudingupintothehousing.Still,however,thestackisnotbinding.

The lock is not affected by any manipulation of the first pin stackbecausebindingforceisbeingfeltelsewhereinthelock.Onecanliftandrelease the first pin stack (in this instance)multiple times and it will

continually drop back down (both the driver pin and the key pintogether)tothedefaultposition.Thesameistrueforthesecondpinstack(asseeninFigure2.16)and

thethird(showninFigure2.17).

Figure2.16 Liftingthesecondpinstackhasasimilareffecttothefirst.Nothinghappens.

Figure 2.17 Lifting the third pin stack has no effect. It drops right back down when

released.

Itisnotuntilliftingforceisappliedtothefourthpinstack(sincethisis where the binding pin is located) that things get interesting (seeFigure 2.18). Almost immediately (to a trained lockpicker) it will beevident that something different is afoot. A greater resistance will befelt, and the pin stack will not be as easy to lift upward (see Figure2.19).

Figure2.18 Whenliftingpressureisappliedtothefourthpinstack(wherethedriverpinisbinding),thestackmustbeliftedwithadditionalanddeliberatepressure.

Figure2.19 Thefourthpinstackhasbeenliftedevenhigher.Thereisthesamefeelingofresistancefromthebindingdriverpin.

It is should be obvious when a certain significant point is reachedduringtheliftingofabindingpinstack.Ifallgoeswell,thedriverpinwill fully clear the chamber, the shear line of the pin stack will bealignedwith the plug’s edge, and there should be a noticeable “click”thatcanbefeltand/orheard(seeFigure2.20).Don’texpecttheearthtoshake, of course… but it can often be felt quite substantially. Theresultantslightmovementoftheplugmayalsobenoticed.

Note

Giventhatthehandleofone’stensiontoolextendsoutwardalongtheradiusofrotation,this

toolcanoftenbeabetterindicatorofanymovementtheplughasexperienced.Thelongerthe

handleofyourtensiontool,themoremagnifiedandpronounceditsmovementwillbeatthe

farthesttip.Movementontheorderofjustadegreeortwomightnotevenbenoticedupin

themiddleofthekeyway,butifatensiontoolisfiveinchesormoreinlengthitsfarthesttip

maybeseentomoveone-eighthorone-quarterofaninchormore.Now,Idon’trecommend

yougooutandobtainthelongesttensiontoolyoucanfind(thiswouldnotonlybedifficultto

fitintoatypicallockpickcasebutcouldalsobecumbersomeintheprocessofpicking),butit

isoftenagood idea toapplyyour tensionpressurewitha fingertipplacedas farout to the

edge of the tension tool as possible. This allows you to better control the pressure you are

applyingandalsoputsyouinthebestpossiblepositiontoobserveorfeelanysuchmovement

intheplugwhenittakesplace.

Figure2.20 Thepinstackinthefourthchamberhasbeenset.Thedriverpinisrepresentedinafadedcolortoindicatethatitisnolongerinplay.

Onceyoufeelthatfirst“click”youarewellonyourway.Whenliftingpressureisremovedfromthispinstack,oneshouldnot

expect the key pin to remain raised. True, there is no spring pressurebeingappliedtoit(viathedriverpinwhichwouldnormallybepushingdownuponit),butnothingelseiskeepingit“lifted”either.Itisfreetofloparoundinanydirectioninitschamberwithintheplug.Again,ifthelockwere installedwith thepin stacks below the keyway (as inmanyEuropean installations) the key pinwould not appear to “move” evenafterthepickceasedputtingpressureuponit,butthatwouldalsojustbeafunctionofgravity.HereinNorthAmerica,gravitywilltypicallyplay

aroleinthekeypinfallingbacktowardthemiddleofthekeyway.Theimportantthingtoremember,regardlessoftheorientationofthelock,isthatthiscasualupordownmovementofthekeypinwithinitschamberhasnoeffectonthelockatthistime.Itisnowtimetoseekoutthenextbindingpinstackandapplylifting

pressureagain,inordertosetanotherpin.Astheplugwillhaverotatedslightly(evenifyoucouldn’tvisuallyobservethiswithease),someotherpin in a different chamber will now be binding. As with the first pinstack to bind, you cannot easily predict where this next pin will belocated.Youhavetosimplycontinuetheprocessofliftingindividualpinstacks and seeing which one feel the “tightest” and offers the mostresistance.As thepickingprocesscontinues,Figure2.21showsus that thenext

pinstacktobindisinthethirdbittingposition.Perhapsthelockpickerfindsitrightaway,orperhapssomesearchingisinvolved,asshowninFigure2.22.

Figure2.21 Theliftingofthekeypininthefourthchamberiseasingoff.Thekeypinisdropping back to its default position at the bottom of its chamber; this is normal. Binding

pressureisnowbeingfeltbythedriverpininthethirdchamber,anditisuptothelockpickertohuntaroundanddeterminethelocationofthisnewly-bindingpin.

Figure2.22 The thirdpin stack isnowbinding,but the lockpickermoveson to test thefifthpinstackattherearofthelock.Noluckishad.

Whenthislatestbindingpinislocated,however,theprocessofliftingandsettingisthesameaswasseenbefore(seeFigures2.23and2.24).Gentle,upwardpressureisappliedwiththepickwhilecareistakentonot press too hardwith the tensioner. Of course, one doesn’t want toeaseup toomuchon the tension tool, since thatwould result ina fullreleaseofanypinstacksthathavealreadybeenset.

Figure2.23 Upwardliftingbeginsonpinstacknumberthree,whichiscurrentlybinding.

Figure2.24 Thedriverinpinstackthreehasnowbeenset.Pinstackfiveisnowbinding.

Ultimately,ifallgoeswell,therewillcomeatimewhenthereremainsonlyonepinstackwhichhasyettobeset.Atsuchatime,thatonefinaldriverpinisallwhichispreventingtheplugfromturning.Figure2.25showsthissituation.Liftingproceedsinthesamemanneraswithallofthepreviouspinstacks.Thedriverpinwillsetjustlikealloftheothers,

asshowninFigure2.26.

Figure2.25 Thehookpickisinposition,preparingtolifttheonlypinstackwhichisstillbinding.

Figure2.26 Thelastremainingdriverpinhasbeenset.Theplugcannowturn.

When the final driver pin has been clicked into position, nothing isholding the plug stationary any more. It should almost immediately

begintorotate(seeFigure2.27).(Somepickingexpertsrefertothisasthe point at which the plug “breaks over”.) Rotation should happenimmediatelysincethetensiontoolisstillapplyingrotationalpressuretotheplug.

Figure2.27 Theplughasbegunto“breakover”androtate.Thekeypinfromstacknumbertwoisstillliftedquitehighatthistime.Itdoesnotmatter,however,sincethereisnospaceforthekeypintomove.Ithasreachedtheedgeoftheplugandisnowfacingtheflatwalloftheplugchannelwithinthehousing.

The tension toolalone isoften strongenough toprovide the turningforcenecessarytocompletelyrotatetheplugandoperatethelock,thusopening it. (That’s assuming, of course, that you have turned in theproper direction!) It should be understood, however, that eventensioners are delicate tools used for finesse purposes more thananything else. Any lock which requires considerable effort to operateeven with the proper key will need equally substantial force when alockpicker attempts to rotate a plug that has begun to turn freely.Havinga thicker,more robust tension tool inyourkit (even if it’snotyour favorite one to use) is a good idea. In a pinch, a flat head

screwdriveroranyothersuchtoolcanhelptoencourageaplugtoturn.Onesometimesencountersstiffnesslikethisondeadboltlocks.

Theproblemoftoomuchtension

One of the biggest mistakes that people make when they are firstlearning to pick locks pertains to proper control of the tension tool. Ihaveseenmorecomplicatedandcounter-productivewaysofgrippingalockandpositioningone’sfingersthanIcancountorcaretoremember.Asalways,Istandbymyaxiomthatifsomethingworksforyou,it’snotwrongperse.However,moreoftenthannot,oddballwaysofholdingalockorapplyingtensiontendtodolittlebeyondmakinglifedifficult.Firstletusdiscussthepositioningofone’sfinger(orfingers)uponthetensiontool.Whilethereisnothinginherentlywrongwithhavingmorethanone fingeron the tensioner, it’s rarely called for…and isoftenasignthatyoumaybeapplyingtoomuchforce.Also, it’sagoodideaifyourcontactwiththetensionerisgearedtowardsapplyinga“pushing”forceagainstitinsomemanner,notattemptingto“pull”uponitwithahookedfinger,asseeninFigure2.28.

Figure2.28 Attempting to apply clockwise rotational force to the plug by hooking thetensiontoolwithone’sthumbandpullingit“downward”andtowardyou.Thismethodofusingthetensionerisnotrecommended.

Placingasinglefinger,oftentheindexfinger,onthetensiontoolandpressing downward is often the best course of action. Even here,however,thereissomeroomforvariedtechnique.Ihighlyrecommendthatpeopleattempttolocalizethetipoftheirfingerandapplypressurefurtherouttowardstheendofthetensiontool.ComparethephotosinFigure2.29(afingerpositionthatIdonotfindvery effective) and Figure 2.30 (the finger position that I use whenpicking)toseethedistinction.

Figure2.29 Applyingpushingpressure(whichisgood)atapositionveryclosetotheheadofthetensiontool(whichisn’tallthatgood).

Figure2.30 Applyingpushingpressureatapositionmuchfartheralongdowntowardsthetailendofthetensiontool.Thisallowsformaximumcontrolandtactilefeedback.

Theothercommonproblem thatuserscanencounterwhenapplyingtension is themistakeofusing far toomuch force.This isperhaps themostcommonstumblingblock that impedes theprogressof thosewhoare starting to learn lockpicking. I cannot stress enough just how littletensionisrequiredwhenyouarepickingalock.

Tip

Ifyouarestartingtolearnlockpickinganditisn’tgoingwell,theoddsareoverwhelmingthat

theproblemhastodowithyouruseofthetensiontool…specifically,toomuchpressurebeing

appliedtoit.Rather,IwouldwagerthatifIwereabettingfellow,whichIamnot.Still…just

trustmeonthis…you’repressingfar,fartoohardonthetensiontool.

MyfellowTOOOLboardmember,BabakJavadi, likes toexplain thematter to new lockpickers by asking them to consider a keyboard likethosefoundonmodernlaptops.“Imaginetheamountofpressureyou’dneed touse topushakeyonsuchakeyboard,”hewill tell thecrowdgatheredaroundhimashegivesanintroductorylecture.“Youwanttouseabouthalfofthatmuchpressureonthetensiontool…perhapsevenlessthanthat,”hewillsay,oftentothestudents’amazement.Thisisagoodreference.Perhaps you don’t have a lot of experience with laptop keyboards,however. Maybe you still type everything on a vintage IBMmodelMkeyboard(talkaboutphysicalsecurityhardware…ifyouownone,youcansimplybludgeonintrudersintosubmissionshouldanyonebreakintoyourofficeanditwillstillfunctionjustfineafterwards),andthushavenoconceptofthesoftpressurethatweencourage.Inthatcase,asimpleyeteffectivewayforyoutogaugehowhardyoushould(orshouldn’t)bepressingistolookatwhetherornotyou’relosingcolorinthetipofyourfinger.

Compare the photographs in Figures 2.31 and Figure 2.32. The firstshows proper pressure being applied to the tension tool. The user’sfingertipshowsasimilarflesh-tonetotherestofthehand.Inthesecondphoto,however,toomuchpressureisbeingused.Thefingertipdisplaysanotablelackofcolorandaconsiderable“dent”wherethetensiontoolisresisting.

Figure2.31 Properpressurewithatensiontool.

Figure2.32 Too much pressure on the tension tool. Notice the whitening of the user’sfingertip.

Theperilofoverlifting

One other significant problem that is common among individualswhoare just starting out with lockpicking pertains to too much pressurewhenliftingthebindingpinstack.Ifapinstackisraisedtoomuch,asinFigure2.33,thennotonlywillthedriverpinbeoutoftheplug,butthekeypinwillbeaswell,atleastpartially.Ifthekeypinbecomesstuckinthe shear line (and thus begins to be held by the friction of bindingforce,asseeninFigure2.34and2.35),thereisnoeasywaytobringitbackdownandoutoftheway.Theonlycourseofactionistoreleaseallpressureonthetensiontoolandallowallpinstacks,includingonesyoumay have already set, to spring back down into their original defaultpositions.

Figure2.33 Threepinstackshavebeenset,buttheliftingofthisfourthstackhasgonetoofar.

Figure2.34 Nowthekeypininthefirstchamberisbindingintheshearline.

Figure2.35 Evenifthepickismovedaway,thatstackwillrefusetodropbackdownnow.

PickingwithaRakingTechniqueNotallofthetoolsinatypicallockpickkitarespecificallydesignedfortheliftingtechnique.Ifyou’vealreadyhadalookatitemsoflockpickingequipment,youknowthatonlysomeofthetoolsinasetwilltendtobehook-shapedpicks.Anumberoftheitemsyoumayhaveseenwilleitherhavetipsthatarewavyorthatfeatureaseriesofangledpoints.Theseareknownasrakepicksandtheycontactthepinsinaslightlydifferentmanner than what was seen with the hook in the first lockpickingwalkthroughillustratedinFigures2.11through2.27.Figure2.36showsaside-viewdiagramofthebeginningoftherakingprocess.

Figure2.36 Withtensionapplied(andthus,onepinstackbinding)arakepick ismovedtowardsthekeyway.

Rake picks are typically designed so that theirworking surfaces arewide enough to contactmultiple pin stacks simultaneously, as seen inFigure2.37.Theyareusedby scrubbingbackand forth, inandoutofthelock,sothatthepickinteractswithmultiplepinsandjostlesthemtoawidevarietyofpositions.

Figure2.37 The tips of rake picks are large enough that they can contactmultiple pinstacks(orwafers)atthesametime.

Thesizeofthetipsonarakepick,coupledwiththerapidmovementthatcharacterizestheirusage,oftenresultsinthesettingofmultiplepinsstacksinveryrapidsuccession.Onoccasion,thespeedwithwhichthisisaccomplished can be astonishing, with the lock popping open sosuddenlyastotakeapersonbysurprise.Quiteabitofvariationispossibleintheuseofarakepick.Whilean

in/outmovement is theprimaryway inwhichsucha tool isoperated,manypickerswillvarytheangleatwhichthetoolisheld(intermsofitspitchupwardordownward, that is…the“blade”of thepick isalwayskept as close as possible to the vertical alignment of the keyway inwhichitisoperating)andtheoverallheightatwhichitismovingwithinthekeyway.ObservetheseriesofdiagramsinFigures2.38through2.41,which depict the process of rapidly setting pins via raking, to see themultitudeofdifferingpositionsatwhichtherakepickisheldatvarioustimes.

Figure2.38 Arakepick,liftedhighandangledupward,hassetthefirstbindingpinina

lock.

Figure2.39 Thesamerakepick,slightlywithdrawn,hassetthesecondbindingpininthelock.

Figure2.40 Therakepickproceedsdeeperinthelock,andsetsathirdpin…thistimeitisbeingheldataslightlyflatterangle.Noticethatitisroutinetomakerepeatedcontactwithkeypins in chambers where the driver has already been set. This is totally natural and is not aproblem.Thosekeypinswilljostleslightlyintheirownchambersbutthiswillhavenoeffectontheopeningofthelock.

Figure2.41 Therakepickisbeingwithdrawnwhileatthesametimeitshandleisbeinglifted upward. The tip, at this slightly downward-facing angle, manages to set the last tworemainingpinsinalmostthesamemoment.Atthistimetheplugwouldnowturnandthelockcouldbeopened.

IdonotwishtogivetheimpressionfromthislatestseriesofdiagramsinFigures2.36through2.41thattheholdingandworkingofarakepickat these varied angles and heights is a consciously-deliberate decision.Oneshouldusuallymaketheefforttoattemptadequatevarietywiththepick’smovements,butitisrarelyamatterofsayingtooneself,“Alright,inthispassI’mgoingtoholdthepickverylowatadownwardangle…nowinthenextpassI’lltrythesameangleabithigher…andnowI’llvarymyangletobeabitflatter…”etc.,etc.,etc.No,themovementofarakepickinandoutoftheplugtendstobesorapidastoprecludesuchspecificorchestrationofone’smovements.Aslongasyoudonotsticktojustasingle,unwaveringmovementof

the rake, youwill increase your chances for success. The same canbesaidofyourworkwiththetensiontool.Whilefluctuationandvariationofyourpressureuponthetensionerisnotanormalpartofliftingpicking,itisquitecommonduringtherakingofalock.

I regret that there is not amore formalized, step-by-step process tothis style of opening a lock. It is rather easily understood, but muchharder to convey instructions to someonewho is attempting it.Unlikethe precise science of lifting picking (which could be said to be likebaking… follow these steps in a specific order and you usually get apredictable, successful result), raking ismoreof anart (like cooking…youuseyourbest judgmentandexperiencegained in thepast towhipupsomethingthatyouhopegoesoverwellforallinvolved).There is also a popular technique for opening locks that I tend to

informallylabelwiththetermhybridpicking.Thisisthealternatinguseofbotharakeandahookpickwithouteasingoffof the tensionwhenswitchingbetweentools.Simplyput,afewpasseswitharakemightsetmost(butnotall)of thepins ina lock. Ifyoukeepmaintaininggentlepressure with the tension tool (and thus keep the pins which havealreadybeensetfromfallingbackintotheplug)whileyouswitchtothehook, itmay be then possible to “finish off” any remaining pin stacksthatrequirealittlebitofadditionallifting.

Thehalf-diamondpick

Thereisoneotherstyleofpickingtoolthatisacommonsightinmostlockpickkits,anditdeservesbriefmentionhere.Calledahalf-diamond,this is a terrific item (see Figure 2.42). Praised for its versatility, Iconsiderittobeanindispensableadditiontoanyone’stoolsetbecauseofthemultitudeofwaysitcanbeusedandalsobecauseofitsabilitytoperformspecializedtasks likenootherequipmentyou’re likelytohavewithyouatanygiventime.

Figure2.42 Thethreemostpopularstylesoflockpickingtools.Ontheleftisaliftinghook.On the right is a rake. (This particular one is called a “Snake” rake. For a more detailedbreakdown of picking tools and their names, see the Appendix: Guide to Tools and Toolkits.)Betweenthesetwotoolsisahalf-diamond.

People often ask me if the half-diamond is a lifting pick tool or araking pick tool. A simple “yes” is always my succinct response. Apopular story one encounters frequently is, “Imagine if a hook and arakecouldhaveachild…thisoffspringwouldbeahalf-diamondpick.”Thatanalogyisquiteapt,giventhatahalf-diamondcanbeusedtoliftindividual pin stacks delicately or it can be scrubbed back and forthquickly. Its efficacy is not always likely to be quite as decent as aspecially-tailoredpicktool(adedicatedhookwillhavegreaterreachandcan focusmore precisely on a specific pin chamber, and themultipleripplesofadedicatedrakewillmoreeasilymakecontactwithmultiplepin stacks at once than theheadof a half-diamondpick), but the factthatitcanbeusedbothwaysalmostsimultaneouslyisahugeadvantageintermsofspeedandsimplicity.Forsomeofmyfriends,thehalf-diamondisthefirstthingtheyreach

for when approaching a new lock for the first time. After all, as mynumber onepicking axiom states, “Whymake thingsharder than they

havetobe?”Ifalockcanbeeasilyopenedwithafewrakingpassesandthen a little additional lifting in one or two remaining chambers (the“hybrid”styleIdescribedabove),itmaynotbenecessarytofumblewithmorethanonetool,swappingbetweenahookandarake.Sometimesahalf-diamondpickcanhandleallofthesemotionsadequately.Anotherhighlyusefulfeatureofthehalf-diamondpickisthefactthat

itsveryfronttiphasadownward-angledface.Thiscanbeusedtogreateffect if one is working in an exceedingly tight keyway and wants to“shovel”thepinstacksinordertogetthemmovingupward.Byaligningthe half-diamond tool at the proper position and then inserting itstraightintothelock(seeFigure2.43),theleadingedgecanslipbeneaththekeypins,lettingthemrideuponthefrontfaceofthepick.

Figure2.43 Insertingahalf-diamondpickstraightintoalockcanoftenhelpthepinstacksmove upward as they ride along the angled leading edge of the tool. This can be especiallyeffectivewhenyoudon’thaveagreatdealofroominthekeywayforverticalpickmovement.

The half-diamond pick is often quite forgiving of abuse and stress,since its tip tends to be thicker andmore robust than hooks or rakes,which tend to be composed of thinner andmore intricately fashionedmaterial, particularly at their functional end. When attempting to liftindividualpinstackswithahalf-diamond,itishelpfultotrytolocalize

itspointdirectlybeneaththekeypininquestion(seeFigure2.44),butagain, an imperfect aim is unlikely to cause much trouble if you areusingthisveryadaptabletool.

Figure2.44 Liftingasinglepinstackwithahalf-diamondpick.

Thereisonemore,veryuniquewayinwhichahalf-diamondtoolcanbeusedbyalockpicker.Evenifyoudonotcometoenjoypickingwithahalf-diamond, thisadditional techniquealone isreasonenoughtokeepthetoolinyourkitatalltimes.Thehalf-diamondisuniquelysuitedtoexploring locks, helping you gather information in places where youcannotuseyoureyestoobserveandmustinsteadrelyonwhatyoucanlearnsimplywithyourhands.Often, thehalf-diamond toolwillbe theonlypick in someone’s tool

casethathasalong,flatsurfacealongonesideallthewayouttothetip.Rakes and hooks do not offer such a surface. Such a long, continuousplanecanbeusedtohelpyouindiscerningthingssuchashowmanypinstacks a lock contains…quite a useful piece of information if you’retacklingapieceofhardwarethatyouhavenotencounteredbefore.Overtime,youwillcometoknowmanymanufacturersandberelativelyabletopredictjustwhatsortoffeaturesarewithinalocksimplybyseeingits

brand andmodel. Most Master padlocks feature four pin stacks, mostKwikset and Schlage residential door locks incorporate five. Incommercialsettings,six-pinlocksareseenmorefrequently,butfive-pinlocksarestillcommonthere,aswell.However,thereareplentyofno-namelocksonthemarket,andeven

well-recognizedmanufacturersaredevelopingnewdesignsallthetime.Ifyouwishtolearnjusthowmanypinstacksareinagivenlock,grabyourhalf-diamondtooland insert it into thekeywayupside-down,withthepointed tip facingaway fromthekeypins.With thepick farawayfromthepinstacks(keep itat the“bottom”of thekeyway ifpossible)insertituntilyoufeelanobstructionattherearoftheplug(thetailpieceorcamorablockingplatewillbewhatyouarestrikingwiththetipofyourpick).Now, lift thehalf-diamondupwards,attempting to raiseallofthepinstacksevenlyandatthesametime,asshowninFigure2.45.

Figure 2.45 Using an inverted half-diamond pick to lift all the pin stacks of a locksimultaneously.

Whenyouhaveall thepinsraisedashighaspossible(muchofyourpicktoolwillnowberidingagainstthetopofthekeyway)slowlybegintowithdraw it fromthe lock,as shown inFigure2.46.Make sure it is

travelingcompletelyhorizontally.Ifthereisaslightwiggleorclickingasyoubegintomove it, thismaybea sign that the tipof the tool (deepwithinthekeyway)isencounteringasmallliporunevenmillingaroundtherearoftheplug.Thisistypical.Continueremovingthehalf-diamondwhilemaintainingsolid“upward”pressureagainstthetopofthekeywayandyoushouldsoonfeelthepickmovingalongasmooth,flatpath.

Figure2.46 Removingtheinvertedhalf-diamondpickalongasmooth,flatpath.

Asthepicktool’stipbeginsmovingpastthepinchamberswhileitisbeing removed from theplug, thepin stacks thathadbeenpushedupwillcomesnappingbackdownwardduetothepent-upspringpressureabovethem(seeFigure2.47).Youcanclearlyhear(andsometimesfeel)this snap effect. Count the snaps, and you will have determined howmanypinstacksthelockcontains.

Figure2.47 Asthehalf-diamondisslowlyretracted,pinstackswillbeginspringingbackdown into their default position. This will produce an audible “snap” when they strike thebottomoftheirpinchambers.

Ahalf-diamondtoolcanbeusedtosqueezeintounconventionalspots,triggering releasecatchesorpopping small componentsoutofpositionjust long enough to allow a lock to be attacked in a non-traditionalmanner.Itcanevenbeinsertedwithits“flat”sidetowardsthepinsandrockedslightlytoactasadimplepickifoneisnotavailable.(Wewillcover dimple locks in Chapter 6.) All told, the half-diamond could bethought of as the least specialized and yet potentially themost usefulpickinyourtoolkit.

Tensiontools

There are a few items that aren’t “picks” per se but which areindispensable tohavewithyou inapickkit.Aswe first saw inFigure2.10, tension tools are a part of all lockpicking efforts. Tension toolscomeinanumberofdifferentstylesandshapes,anditisagoodideatohaveahealthyassortmentofthemavailablewhenyouarepickinglocks.For themost part, tensioners can be classified as either “standard,”

“flat,” or “specialized,” but of course, a number of other names exist.Let’stakealookatthetwomaincategoriesfirst:standardandflat(see

Figure2.48).

Figure2.48 A “standard” tensioner (on the left) next to a “flat” style tensioner (on theright).

Initssimplestform,atensiontoolwilloftenbenothingmorethanashort, thin strip of metal that has had a small segment of its length(typically1½centimetersor so)bentata right-angle.This is themostcommontensionerthatisseeninpickkits inNorthAmericaaswellasmany other places around theworld. Often terms such as “head” and“handle”willbeusedtorefertotheshortbentsegmentandthelongerstraightsection,respectively,buttheyarenotseparatepiecesofmetal.Itis very common for tensioners to have additional bends or twistsincorporatedintotheirhandles.SeeFigure2.49foradditionalexamples.

Figure 2.49 Variations on the “standard” tensioner. On the far left is a tensioner thatfeaturesatwistedhandle.Inthemiddleisatensionerwithascallopedshaft(knownasatuliphandle)whichmakesiteasiertoapplytensiontoalockthatislocatedinarecessedcavityorupagainstawidedoor jamb.Ontherightof thisphoto isa tensioner thathasbeenbentatbothends,makingadouble-endedtool.Ifyoulookcloselyatthislasttool,youmaynoticethatthe“short”endhasbeenaugmentedwithnotchedteeththatcangrabakeywaymoretightly.Also,the“larger”headofthistoolhasbeencurvedslightly,whichalsohelps it tograbmorefirmlywithinakeyway.Inspiteoftheirmodifications,thesethreetoolswouldallstillbereferredtoas“standard”tensioners.

In contrast to the “standard” styleof tensioner, anotherpopularandoften-seen design is the “flat” tensioner.Many times youwill see thisreferred to as a “Euro” tensioner, due to the popularity of tighterkeyways in Europe and thus the increased use of flat tensionerswhenpicking those locks. Occasionally, the terms “edge of the plug” and“center of the plug” will be substituted for “standard” and “flat”,respectively.Suchtermsrefertowhereintheplugthetoolsareinserted,asyouwillsoonsee.(Asalways,I’llpointoutherethatIgreatlypreferthesetermsoveranydesignationsthatareregion-specific.Somepeoplewillmakereferenceto“topofthekeyway”and“bottomofthekeyway”but,forreasonsthatIhavediscussedinChapter1,Itrytobreakpeopleout of the habit of using those sorts of names.) Much like standard

tensioners,flattensionerscanhaveadditionalfeaturessuchasgrippingteeth,double-sidedendsforextrasizeoptions,andsoforth.Each style of tension tool has its own unique advantages and

disadvantages. The primary difference between standard and flat styletension tools iswhereandhowtheyare inserted intoa lock’skeyway.Standardtensiontoolsare traditionallyusedby inserting thehead intothekeywayattheedgeoftheplug,awayfromthepinstacks(seeFigure2.50).

Figure2.50 Astandardtensiontoolthathasbeeninsertedinthekeywayattheedgeoftheplug.(OnmostNorthAmericanlocks,thiswouldbecalledthe“bottom”ofthekeyway.).

Letustakeacloserlook(inallthreedimensions)atexactlyhowthehead of a standard tension tool fits into the lock when it has beeninsertedinthisfashion.Figure2.51showsbothafront-facingandside-view perspective, indicating how far into the plug the head of thetensionerislikelytoreach.

Figure2.51 Thisdiagramdemonstrateswhereatypical“standard”tensiontool’sheadfitswithinthekeywayofatypicalpintumblerlock.

As youmay notice, having a tool inserted into a lock like this canpresent a couple of problems. First and foremost is the fact that thetensionerisoccupyingasignificantportionoftheavailablespaceinthekeyway, thus limiting how much free room remains for someone toinsertandoperatealockpick(seeFigure2.52).

Figure2.52 Noticehowtheavailableworkspaceisdiminishedoncethetensiontoolhasbeeninsertedintothekeyway.

Anotherproblemthatcanarisewhenattemptingtopickalockwhileusingastandardtensiontoolplacedattheedgeoftheplugpertainstohowmostkeywaysaremilledinlockstoday.RecallfromChapter1that

inmostcases,thekeywayiscutstraightthroughthebottomofthelock’splug,leavingtheentirebottomoftheplugwideopen.Now,thisisnotusually a problem during normal operation. Indeed, most users nevernoticethissincethewardingworkstogetherwiththekeyprofiletokeepthebladeof thekey“raised”ever so slightlywhile it isbeing insertedinto the lock.Contrary towhat youmaybelieve, thebladeof the keyrarely rubs significantly against thewalls of the housing inside of theplugchamber.Atensiontool,however,doesnot incorporateanyspecial featuresto

keepit“elevated”withinthekeyway.Aspressureisappliedandthetoolnestlesdownintoasnugpositionwithinthekeyway,thetensionerheadmay stick through the bottom of the keyway, rubbing up against theplug channel and causing friction with the lock housing (see Figure2.53).

Figure2.53 A forward-facing perspective of lock after tension has been applied. In this

instance, theheadof the tension tool (alsoshownhere ina forward-facingcross-sectionview)has nestled downward and angled slightly, causing it to bind and drag somewhat against thehousing.Thisisacommonproblemandcanaffecttheprecisioncontroloftensionupontheplug,aswellashoweasilythelockcanbepicked.

Toovercomethesetwocommondifficultiesthatsometimesarisewhenstandardtensionersareemployed,somelockpickersprefer(and,indeed,some situations all but require) flat style tensioners. These are tensiontoolsthatconsistofasingle,unbent,flatpieceofmetalwhichiscutorstamped into a specific shape. Unlike standard tensioners, which areoften inserted in thekeywayat the edgeof theplug (opposite thepinstacks), flat tensionersaremostcommonly inserted into thekeywayatthecenteroftheplug,oftennestlingrightupagainstthefirstpinstack.Indeed,thatisacommonconcernofthedesignerswhofabricateandsellflat tension tools…theheadneeds tobe shortenough tonotprotrudetoofar,thusrubbingagainstthefirstpinstack.Someflattensioners(likethe one seen in Figure 2.48) feature an extra lip or shoulder whichregulateshowfartheycanbeinsertedintoakeyway.Figure2.54showsaflat-styletensiontoolinalock.

Figure2.54 Aflatstyletensiontool,insertedintoakeywayatthecenteroftheplug.

As you can see from the pair of perspectives in Figure 2.55, thisparticular tensioner offers far greater room within the keyway forsomeonetomaneuvera lockpickandperformattemptsateither liftingorraking.

Figure2.55 Thisflattensiontoolleavesmuchmorefreespaceinthekeyway,allowingformorefreedomofmovementwithapickingtool.

It may seem at first glance that for these reasons, flat style tensiontools are far superior to the “standard” varietywhich is so popular inNorth America. There is one more important consideration, however.Theflattensiontoolsmakefarlesscontact,overall,withtheplugthantheirstandardcounterparts.Thatmeansthatthegripaflattensionerhason the plug will tend to be more precarious. (It is precisely for thisreasonthatsmallteethorgroovesaresuchapopularfeatureontheheadofmostflattensiontools.)It is possible to reduce the loose, wiggly feel of a flat tensioner byfabricatingitinsuchawaythatitiswideenoughtoeasilycontactbothsidesofthekeywaywhenithasbeeninserted(seeFigure2.56).

Figure 2.56 Two possible sizes of head on a flat tension tool. The one on the left isnarrowerandwillpotentiallyfitinmorelocks,butitwillnothavenearlyasstableagriponthekeywayasthewider-headedtensionershownontherightofthisdiagram.

The trade-off that manufacturers of tools must consider is one ofinteroperabilityversusasnugfit.Ifaflattensiontoolistailoredtotheexact width of a specific manufacturer’s keyway, it will make awonderful grip on those specific locks, but it may be imperfect (or,indeed,totallyunusable)inlocksofanotherbrand.Aflatstyletensionerthat is quite thin, on the other hand, will surely slip with ease intonearlyallkeyways…butkeeping it steady longenough to successfullypick the lockcan thenbecomeachallenge. Itmaynot surpriseyou tolearn that many skilled lockpickers wind up picking and choosing ahealthyvarietyoftensioners,oftenfromawiderangeofsuppliers,andincludingthemintheirpickkits.

Tip

WhenIwasvisitingsomeofmyfriendsintheNetherlands,Iattendedameetingofthelocal

chapter of TOOOL. I overheard a conversation in which Jos Weyers, a member of the

Amsterdamchapter,wasaskedhypotheticallyifhecould“haveonlyten,orperhapsadozen,

tools in his pick kit… what would they be?” His response was that he would choose his

favoritehookpick(oneknownasaGonzo),asturdyhalf-diamond,aratheraveragerake,and

thenfilltherestofhisallottedspacewithaswideavarietyoftensionersashecouldobtain.

AsmyDutchfriendsarefondofsaying…thinkofthetensionerasthetoolthatactuallypicks

thelock.Yes,thehookortherakeissurelyhelpingagreatdeal,bymanipulatingthepins,but

itisyourfinesseandprecisionwiththetensionerthatmakesthemostdifference.Andifyou

can’tgetagood,controlledgripontheplugwithatensionerthatiscomfortabletouse,almost

everythingelseyoutrytodowillnotmatter.

We have yet to discuss the third category of tension tool… that of“specialized” tensioners. These are, for lack of a better term, tensiontoolsthatdonotadequatelyfitintoeitherofthefirsttwocategories.Thereareavarietyofitemsthatcanbecalled“specialized”tensionersinthesensethattheyaredesignedtobeusedinjustasinglebrandormodel of lock (two that come tomind are the “long finger” tensionerusedwhenpicking theoldSchlageEverest lockanda tensionerwhichfeatures“gripperfingers”thatisusedwhenattemptingtogetpastSmallFormat Interchangeable Core locks. (Both of these tools are producedandsoldbyPetersonInternational,bytheway.)There are tensioners thatmount or fasten to the face of a lock andthencanbecalibratedtoapplyaspecificdegreeoftensiontotheplugwithout the user having to hold them at all. (Sometimes called “dialtensioners,” thesemightmakean interestingaddition to aprofessionallocksmith’skit,butIhaveneverseenoneusedbypenetrationtesters.)Just about the only kind of “specialized” tension tool that you arelikelyencounterinatypicallockpicktoolsetorusewithanyfrequencyinthefieldisknownasa“wishbone”tensioner,sometimesalsocalleda“tweezer”tensioner.

Note

I amnotashappywith theuseof the term“tweezer”because it couldbe seenby someas

some sort of indication that the tool is used by somehowpinching together the twopaired

arms.This,plusthefactthatactualtweezersareoftenpartofalocksmith’stoolkitsincethey

areusedinservicingandre-pinninglocks,makesmemuchhappierwiththename“wishbone”

inreferencetothistypeoftensioner.

Two models of this style of tensioner can be seen in the photo inFigure2.57.

Figure2.57 A smallwishbone tensioner (oftenused forpicking smallpin tumbler locks)andalarge,specializedwishbonetensioner(designedtoaidintheopeningofautomotivelocks).

There are two specific situations when wishbone tensioners cansometimes be helpful. One pertains to pin tumbler locks, the other towaferlocks.Letusfirstconsidertheformer.Somepintumblerlocksarevery small. Luggage locks, briefcase locks, and other suchmechanismsoftenhaveexceedingly tinykeyways.Thekeywayscanbe so small, infact, that once a traditional tension tool has been inserted (either astandardtoolattheedgeoftheplugoraflattensioneratthecenteroftheplug)thereremainsessentiallynoadditionalroomfortheinsertionofpicks(seeFigure2.58).

Figure 2.58 Once the tension tool has been inserted into this lock which features anexceedingly tinykeyway, there remainsessentiallynoadditional roomforpicks tobe insertedandmovedabout.

Awishbonetensionercansolvethisproblem(seeFigure2.59).

Figure2.59 A wishbone tensioner, inserted into the same lock seen above, leaves overtwiceasmuchroominthekeywayforpickstobeinsertedandmovedwithease.

Theotherwaythatawishbonetensionercanproveusefulpertainstocertain styles ofwafer lock.We did not discuss this in the section onwafer locks inChapter1, but some such locks arewhat are known as“double-sidedwaferlocks”inwhichsomeofthewafersprotrudeoutonesideoftheplug,whileothersprotrudeinexactlytheoppositedirection(seeFigure2.60).

Figure2.60 Theplugofadouble-sidedwaferlock,inwhichsomewafersmustbepushedupwardandotherspresseddownwardinordertoallowtheplugtorotatefreely.

The most typical place that one can encounter double-sided waferlocks is inautomotiveequipment.Mostcardoorsandvehicle ignitionsare double-sided wafer locks. The photo in Figure 2.61 shows a plugfromsuchalockremovedfromitshousing.

Figure2.61 Theplugfromadouble-sidedautomotivewaferlock.

These locks are commonly attacked with raking, much like single-sidedwafer locks,butsincepressuremustoftenbeappliedatboththetopandbottomof the keyway (often times alternating back and forthbetweenbothspots)atraditionaltensiontoolcansometimesgetintheway.Whether it’sa standard tensionerononesideof thekeywayoraflat tensioner at the other side of the keyway, ultimately there oftencomesapointwhenarakeneeds tomoverightupagainst the tensiontool’shead.The very small footprint of a wishbone tensioner, however, oftenallows someone tomaintain even turning pressure upon the plug of adouble-sidedwaferlock,asseeninFigure2.62.

Figure2.62 Awishbonetensionerbeingusedinadouble-sidedautomotivewaferlock.

It isperhapsappropriate thatwehavewrappedaroundagain to thetopic of wafer locks, since I would like to close this chapter with amentionofonelastpieceofequipmentthatcanbeofgreatusetoyouifyouhaveitinyourtoolkit.Iamspeakingofjigglers.

Jigglertools

Letmebefrank…IabsolutelylovethesetofjigglertoolsthatIhaveinthepickkitthataccompaniesmejustabouteverywhere.Ifindplentyofuses for them and consider them to absolutely be the most effectivemeansofrapidlyopeningmanyofthelocksIencounteronpentestingjobs,whilemakingmyactions seem the leastobvious to thosearoundme.Much likemanyof the tools ina lockpicker’skit, jigglersareknownbyanumberofothernames.Theyareoftencalled“waferlockjigglers,”“waferjigglers,”“waferrakes,”oreven“waferpicks”duetothefactthatthey are designed to be used almost exclusively inwafer locks. Still, I

findtheinsertionoftheterm“wafer”intothenameabitredundantandalso potentially confusing, as it invites the misapplied term “rake” oreven“pick”asseenattheendoftheabovelist.Sometimesjigglersarecalled “repo keys” or “tryout keys,” although this is also misnomer.Productsbythosenamesdoexist,buttheyareratherdifferentindesignandfunction.Tryoutkeys(a.k.a.“dealerkeys”or“repoman’skeys”)areoftenmadeby the manufacturers of automobiles, or are at least designed andfabricated according to the standards for production of actualautomotive keys. They tend to have the look and feel of actualautomotivekeys(seeFigure2.63).

Figure2.63 Aseriesofautodealertryoutkeys.

(PhotocourtesyofEdRoskelly.)

Tryout keys are used by car dealers (and also by automobilerepossession agents) when the exact, original key to a vehicle isunavailable.Carsandtrucksofthesamemakewilloftenhavedoorandignitionlocksthatareallvastlysimilartooneanother.Itmaysurprisetheownerof aFordvehicle to learn that at least oneof only adozenkeysonalarge“tryoutkeyring”willmostlikelyopentheircar’sdoorsandallowthe ignitiontostart. IdriveaGMCtruck; in thepast Ihavesuccessfullyusedotherindividuals’carkeys(theywerealsotheownersofvehiclesmadebyGeneralMotors)toopenmytruck’sdoorandevenstart the ignition.Youmayhavenoticed thisphenomenon in thepast,particularlywhenacarkeyhasbecomeworndownwithageandhasacurved appearance on its bitting surfaces. Tryout keys exploit thesimilaritiessharedbymanyautomotivelocksandworkontheprincipleof“justkeep trying them;with luckone isboundtoeventuallywork.”Jigglersarenotexactlytryoutkeys…theyaresomethingelse,andtheyareusedinratherdifferentways.

Warning

Eventhoughjigglersarenotexplicitlythesamethingastryoutkeys,sometimesthelawwill

treat them as such.We have yet to discussmany of the finer points of lawwith regard to

lockpicking(inanyevent,muchofthattopicisbeyondthescopeofthisbook),butitshould

beunderstoodthatmanystatecriminalstatuteshavespecialcategoriesofcrimesthatpertain

exclusively to automotive property and auto theft. It is in these statutes, which are often

writtenbroadlyandwithstiffpenalties,thatdevicessuchas“tryoutkeys”or“repokeys”are

regulated.Whilejigglersarenotthesamething,theyhaveasimilarenoughappearanceand

functionthatIcouldseeanoverzealousprosecutor’sofficeattemptingtobasechargesaround

possessionoftheminsomecircumstances.Aswithallmatterspertainingtothesubtletiesof

law,consultwithanattorneywhoiswell-versedinthespecificswhereyouliveandwork.

Actual jiggler tools are far simpler than tryout keys. They aremanufacturedfromthin,flat,stampedpiecesofmetalandexhibitaverywidearrayofcurvesandshapesonthesurfacesoftheir“blades,”asseeninFigure2.64.

Figure2.64 Atypicalsetofjigglers.

Ajigglercanbethoughtof(moreorless)asarakeandatensionerallinasinglepieceofmaterial.Theyareusedinsomewhatsimilarwaystorakes—scrubbingbackandforthwhilebeingheldatvariousangles—but

anevengreaterdegreeofverticalup/downmotioniscustomary.Hence,the name “jigglers,” since they can bemoveddirectly up into awaferpackordownandawayfromonewithoutpullinginoroutofthelock.Tension is applied to a lock during such a tactic not by means of aseparatetool,butbyattemptingtoturnthejigglerinitsentirety,likeakey.Using jigglers can be a bit of a tricky prospect, but hopefully thefollowingtipsandadvicewillhelpyou.Firstofall,thereisthematterofselectingwhich jiggleryouwish touse (these itemsarealmostalwayssoldasapackagesetonakeyringorclasp).Myadviceistoattempttoapproximatetheshapeandstyleofwhateverkeyyouareattemptingto“replace” with the jiggler. Is it flat on one side, symmetrical, wide,narrow,etc.?SeeFigure2.65formoreadviceinthisvein.

Figure2.65 Choosingtherightjigglertoolforthejobisoftenamatterofseeingwhichonemostcloselyapproximates thekey for the lockyouareattempting toopen.Onthe leftof thisseriesofphotos,Ihavehighlightedtwojigglerswhichareflatononeside.IfIwereattemptingtoopenafilingcabinetordeskdrawer,I’dstartwiththose.Themiddlephotoshowsjigglersthatcloselyapproximatemostdouble-sidedwaferkeysseenintheautomotiveworld(thetwoontherighthalfofthathighlightedgroupoffourworkwondersonGMvehicles,forexample).Thefinalphotoonthefarrightshowsjigglersthatareveryvagueandwhichmightneedalotofin/outmotiontostrikeallthenecessarywaferswithinalock.Ifallelsefails,I’dbeadventurousandtrythose.

Inpractice,theusageofjigglersisasabstractandhardtodescribeastheactofraking.Icangiveyouabasicideaofsomeofthemotionsthat

youmightemploy,buttheactualperformanceofthistaskisasmuchanart as it is a science.Once inserted in the lock, jigglers canbemovedvertically—that is, held flat while being pushed to the bottom of thekeyway(Figure2.66)orthetopofthekeyway(Figure2.67)—andtheycanbeworkedatvaryingangles—thatis,thetipcanbepointedupwards(Figure 2.68) or downwards (Figure 2.69)—all the while the tool isbeingmovedtovariouspositionsdeepinorsomewhatpulledoutofthelock.Continuallyattempttoturntheplug,eitherclockwise(Figure2.70)or counter clockwise (Figure 2.71) and, hopefully, the plug willeventuallyturn(Figure2.72).

Figure2.66 Workingajigglerdownwardintothebottomofthekeyway.

Figure2.67 Workingajigglerupwardintothetopofthekeyway.

Figure2.68 Anglingajigglerwithitstippointedupward.

Figure2.69 Anglingajigglerwithitstippointeddownward.

Figure2.70 Attemptingtorotateclockwisewhileworkingwithajiggler.

Figure2.71 Attemptingtorotatecounter-clockwisewhileworkingwithajiggler.

Figure2.72 Successwithawaferjiggler.

Asanexperiment,Idesignedasetofjigglerswhichwouldbesmallerandmeantforeverydaycarry.Bymakingthehandlesmorecompactand

reducingtheset to the three (at least inmyexperience)mostessentialtools,Iamnowcomfortablewithkeepingthesetoolsonmykeyringatalltimes(seeFigure2.73).TheyarealwaystherewhenIneedthemandnoonehasevernoticedthemorquestionedthemintheleast,givenhowwelltheyblendinwithmyotherkeysduetotheirshorterlength.

Figure 2.73 This small set of “covert” jiggler tools is something I designed as amodificationtothemostpopular itemsintypical jigglerkits.TheyareavailableonTheCOREGroupwebsiteathttp://enterthecore.net.

Try them out and it just might astound you… jiggler tools are anamazingadditiontoanylockpickkit.

SummaryThisoverviewhasintroducedyoutoessentiallyallofthebasictoolsandtechniques for lockpicking, as far as the most typical locks areconcerned. Even though there is no shortage of styles and designs forlockpicking tools (as you can see in this book’s Appendix), the actual

techniquesused tomanipulatea lockare fairlyuniformanduniversal.Lifting,raking,and jigglingare thepredominantstylesofattackwhichyouwilluse…regardlessofwhattoolsyouhappentohaveinyourkit.Donotbeintimidatedbythehugeselectionofequipmentyoumightseeinsomeoneelse’scollection.(Anddonotbeoverlywillingtopartwithyourmoneyandinvestinamassive“fiftypiece”orlargertoolsetrightoutofthegate.)Rememberthat,ingeneral,therearehooks,rakes,anda few other small helper tools. Much of what you see in a typicallocksmithing catalog are just variations within these categories. InChapter3wewillwalkthroughaseriesofexercisesandlessonsthatyoucanusewhenbecomingfamiliarwiththesetoolsinyourownhandsasyoudevelopyourskill.

Chapter3

BeginnerTraining—HowtoGetVeryGood,VeryFast

ChapterOutline

AWordonEquipmentTheBasicsofFieldStrippingStarterExercisesLearningExercisesChallengingYourselfFurtherUsingRakesandJigglersWaferLockExercisesExtraHintsSummary

Ifyouwanttobecomeahighlyskilledlockpicker,thereisnothingthatcantaketheplaceofdedicated,consistentpractice.However,fewthingscan bemore frustrating than trying to jump directly into this field byorderingasetoftoolsfromtheinternetandbuyinganarmloadoflocksatyourlocalhardwarestore.Ifyousimplydiverightin,youmightpopone or two locks (perhaps out of sheer luck), but you are likely toencounter significant frustrationmuch of the time. This book seeks toease you into this field gradually, in away that is both satisfying andunderstandable.Thelessonsinthischaptershouldgoalongwaytowardsmakingyourfirstexposuretolockpickingbothrewardingandsuccessful.

AWordonEquipmentThereareanumberofvendors,bothonlineandatsecurityconferences,

whoofferitemsoflockequipmentwhicharedesignatedassomeformoftraining aids. Some of the most popular items are cutaway locks,weakened locks, and progressive locks. While I can understand therationalebehindeachoftheseproducts,forthemostpartIfindalotofthem less than desirable, particularly as far as return-on-investment isconcerned.Eachdoes servea function,but inmanycasesyou’re likelybetteroffsavingyourmoneyandobtainingaverysmallselectionofonespecifictypeoftrainingaid.

Cutawaylocks

Cutawaylocksareverypopularsalesitemsofferedbymostoutfitsthatsell lockpicking supplies. A cutaway is a lock that has had materialmilled away (either by the manufacturer or by an after-market thirdparty) in such a way as to reveal the inner workings of the lock andmakethemvisuallyobservable,oftenfromasideviewangle.Atypicalcutaway lock can be seen in Figure 3.1. Additionally, I have seen anumber of locks that are manufactured—in whole or in part—out ofPlexiglasorsomeothersee-throughresin.Somepeoplerefertotheseas“cutaway”locks,althoughthatwouldnotbeaproperterminthiscase.Still, theeffect issimilar…theconstructionallowssomeonetoobservethe lock’s operation, including elementswhichwould never be visibleundernormalcircumstances.Onesuchpseudo-cutawaylockcanbeseeninFigure3.2.Manyoftheselocksaredesignedforsalesandmarketingpurposesinordertoshowcasespecificfunctionsofalocktocustomers.

Figure3.1 A hand-made cutaway that shows the innerworkings of a basic pin tumblerlock.

Figure3.2 Apseudo-cutaway,see-throughlockmadebyinstallingafactoryplugfromapintumblerlockintoahousingfabricatedoutofPlexiglas.

While these sorts of products can be useful teaching aids if one isattemptingtoeducateothersregardinghowlockswork,inmyviewthey

are of limited usewhen it comes to learning how picking works… or,morespecifically,howtobecomeskilledinthedisciplineoflockpicking.Thereasonsforsuchalimitationaremanifold.Cutawaylocksoftendo

not“perform”exactlyliketheirreal-worldcounterparts.Themannerinwhichpinstackswilltendtobindduringpressurefromthetensiontoolishardertopredictandmakerepeatable.Often, theplugofacutawaycanonlyberotated inonedirection,butnot theother,outofconcernthatpinswillcomespillingoutiftheyarenotproperlyheldcaptivebythelock’shousing.Also,withlargesegmentsofthekeywayoccasionallymissing,onewouldn’ttrulylearnthereal-worldfeelofhowatensionertool might fit or how it would have to share space with a lockpick.Plasticsee-throughlockssolvesomeoftheseproblems,butoftencauseothers. Such locks are far less robust than their all-metal counterparts,andcarelessnessoroverzealouseffortonthepartofanovicewhoisstilllearningcanresultindeformationofmaterial,nottomentionscratcheson internal surfaces that will render much of the “see through”experiencediminished.Perhapstheoverallreasonwhysuchlocksarenotthemosteffective

trainingaids is the fact that lockpicking isnotavisualprocessbyanyrealmeans.Yes,directviewingofthelockcanhaveitsplace(aswewillsee on occasion in this chapter), but the great bulk ofwhat onemustobserveduringtheprocessoflockpickingissubtlehintsthatarefeltandheardasopposedtoseen.Thebesttrainingaids,inmyopinion,areonesthatallowsomeonetofeelalockwiththeirowntwohandsandhaveitofferupthesamesensationandfeedbackaswouldbeexperiencedinthereal world. To that end, I often support the adoption of progressivelypinned locks more than anything else when someone is beginning tolearnlockpicking.

Progressivelypinnedlocks

My favorite training aid in the field of lockpicking is a set ofprogressively pinned locks. Sometimes referred to in sales catalogs bynicknames like a “lockpicking school in a box”, these are an array oflocks (all of which are typically keyed alike) that pose a slowlyincreasing challenge to the user in the form of additional pin stacks.Frequently,theseprogressivetrainingaidsaresoldasa“kit”andfeaturemultiple,distinctlockswhichareallseparatefromoneanother,bearinglabels that designatewhich lock iswhich.Theprogressive locks that Iusewhenconducting trainingcourses, shown inFigure3.3, areof thisstyle.

Figure3.3 A set of progressively-pinned locks, all keyed alike, startingwith a singlepinstackandcontaininguptosixpinstacks.

While such locks are often the easiest means for a new learner tobegin immediately attempting their introduction to picking, recently adifferent style of progressive training lock has entered themarket andhas gained significant popularity, particularly among intermediatelockpickerswhoareseekingtoaugment theirskills.Knownasadrilledandtappedcylinder,thisisalockthatcanbeveryeasilyandveryrapidlyreconfigured without the need for specialized tools or locksmithingskills.Adrilledandtappedcylinder—thesetrainingaidsarealsoknownbyother names; one online vendor designates their product simply as an

“Ultimate Practice Lock”—is created bymilling and drilling additionalmaterial away from the top of the housing on a pin tumbler lock. Bytappingthreadsintothetopsofthepinchambers,thepinsandspringsofapinstackcanberetainedwithsmallscrew-caps,asopposedtoatopplateorretentioncapaswasshowninFigure1.21.AllthatisneededtoquicklyserviceandreconfigurethislockisasmallscrewdriverorAllenkey, depending on what screw-caps are used. A drilled and tappedpracticelockcanbeseeninFigure3.4.

Figure3.4 Drilledandtappedpracticelocksbeingservicedandrepinned.

Thereareadvantagesanddisadvantagestoeachofthesetwostylesofprogressive training aid. A full kit will can be easier to an absolutebeginner to use, without any needed configuration. It also lends itselfwelltoanytrainingexerciseswhereinsomeonewantstoswitchbetweendifferingdifficultiesoflockrepeatedlyandinrapidsuccession.Adrilledandtappedpracticelock,ontheotherhand,isoftenlessexpensiveandtakesuplessspaceamongone’scollectionofsupplies.Additionally,this

latter typeofpractice lock,provided itcamewithacollectionofextrapinsandsprings(thisisoftenthecase),canbereconfiguredtoawiderrangeofdifficultiesthanasimplesetofmultipleprogressivelocks.Ultimately, either progressive lock option is verywell suited for the

exercisesandlessonsdescribedinthischapter.Yourownbudget,spacerequirements, and level of comfortwith locksmithing skills candictatewhatyouchoosetoobtain.Ifyouareparticularlyadventurous,youcaneven create your own progressively pinned practice locks. In theupcomingsectionconcerningFieldStripping,wewillcoverthedetailsofthatprocess,aswell.

Theimportanceofavice

While this can seriously introduce added bulk and weight to anyassortmentoflockpickingsuppliesthatyoubegintoassemble,Istronglyrecommendobtainingadecentvice.It isabsolutelypossibletopickallsorts of locks (from padlocks to door locks to everything in between)simplybyholdingtheminyourhands,butmanypeoplefindthathavinga stable platformwithwhich to hold theirwork pieces doeswonders,particularly as novices spend time getting a very comfortable feel fortheir tools in their hands. Using a vice can also give a much morerealisticexperienceifyouarepracticingasapenetrationtester.

Note

Heavy-dutyvicesusedinwoodandmetalworkarenotnecessary…asimplehobbyvicethat

eitherclampsontotheedgeofatableorsitsontopofatable(eitherwithaheavyweighted

baseoravacuumattachment) issufficient.Someindividualsspeakveryhighlyofvicesthat

featureaballjointofsomekind,allowingforarticulationinawiderangeofdirections.

TheBasicsofFieldStripping

If youwish to create your own progressively pinned locks as trainingaids, or if youwish tobe able to service and reconfiguremanyof thelocks that youmay encounterwhen searching for new and interestingchallenges, youwill need toknow somebasic locksmithing skills.Thissectioncouldneverhopetogointofulldetailconcerningthemultitudeof facts and details regarding the assembly and installation of locks.Knowledge in specific categories suchasmanufacturer-specific criteria,compatibility of tailpieces, interoperability with door and latchhardware,andevenaworkinggraspofvariouspropertiesofmetalscanonly come from the experience of working professionally in thelocksmithtradeforyears.However,oneratherelementarylocksmithingskillthatcanbelearnedevenbybeginners,andappliedwithgreateffectwhile learningtopicklocks,isknownasfieldstripping.Instrumentaltotheprocessofre-keying,fieldstrippingisthemeansbywhichalockcylindercanbedisassembledwith all the parts preserved so they can be inspected, serviced, andreassembledineitherthesameoranewconfiguration.Allthatisneededaresomesteadyhandsandaverysimpletoolknownasaplugfollower.Plug followers can be purchased and obtained through locksmithingcatalogs inawidevarietyof sizes andmaterials…but ina sense theyoftentendtobelittlemorethansolidcylinderswithadiameterthatisverysimilartotheplugofthelockbeingserviced.Inapinch,awoodendowel (or even a raw stick of hot glue) from a craft supply store canworkjustaswellasproperplugfollower,aslongasitssizematchesupwiththerelevantplug,asseeninFigure3.5.

Figure3.5 Inapinch,awoodendowelcanworkfineasaplugfollower,providedthatitisascloseaspossibleindiametertotheplugofthelockyouareservicing.

Asyouknowfromthematerialinthefirsttwochapters,theplugofapintumblerlockwillnoteffectivelymoveatallifthepinstacksarenotset at the shear line. Thus, the first step in field stripping a lock isensuring you have the means of freeing the plug and allowing suchmovement.Havingthecorrectoperatingkeyisabighelp.Ifyoudonothavethiskey,itisnecessarytoeitherpick,bump,orshimthelockopen.(We have already covered picking in Chapter 2. We will discuss theothertechniquesinChapter5.)Alsonecessaryistheremovaloftheretainingcliporscrewcapfromtherearoftheplug.Ifthishardwareremainsinplace,itisnotpossibleto slide the plug outward towards the front face of the lock (which istypicallytheonlydirectionthatitcaneverbeejected).Somepeoplefindit easiest to remove such hardware (especially the clip style retainingmechanisms,iftheyareparticularlytight)beforethepinshavebeenset,sinceforcingtheplugtoremainstationarycanassistinthisprocess.Regardlessoftheorderinwhichitisachieved,theplugmustbemadefree tomove rotationally aswell as laterally in the plug, as shown inFigure 3.6. Rotate the plug slightly (thus guaranteeing that the raiseddriver pinswill not becomemixed into any other chambers or in anywayfallbackintotheplug)asshowninFigure3.7andbringyourplugfollowertoolupagainstitstailsurfaceasshowninFigure3.8.

Figure3.6 Withthetailclipremovedandtheoperatingkeyinplace,thisplugisnowabletomovebothrotationallyandlaterallyintheplug.

Figure3.7 Rotatingtheplugslightlywillkeepthedriverpinsupandoutoftheway.

Figure3.8 Bringyourplugfollowertoolupagainstthetailsideoftheplugthatisabouttoberemovedfromthelockhousing.

Taking care to keep the open ends of the pin chambers in the plugfacing upward, push the follower tool into the housing, as shown inFigure3.9,thusforcingtheplugcompletelyoutofthefrontfaceofthelock.

Figure3.9 Push theplugoutof thehousingusing the follower tool.Thedriverpinswillremainintheirliftedpositionsthewholetime.

If all goeswell, youwill then be leftwith twodistinct components,bothofwhichwillcontainpins:anejectedplug,stillcontainingthekeypins (see Figure 3.10), and a lock housing with the driver pins andspringsstillintheiroriginalchambers(seeFigure3.11).

Figure3.10 An ejected plug containing the lock’s key pins. Take caution not to let thechambersfacedownward(donotletitrollifyoulayitonatabletop),asthosepinswilleasilyslipout.

Figure3.11 Apintumblerlock’sbarehousingafterhavingejectedtheplug.Aslongasthefollowertooliskeptinplace,thedriverpinsandstackspringswillremainintheirchambers.

Theuseofaplugfollowerallowsthelocktoberepinnedtoadifferentkeybittingandtheplugtobereinsertedwithouteverhavingtodisplacethedriverpins.However,ifyoudoeverneedtofullyservicealock(forinstance,when creating your own set of progressive locks using store-bought products), the plug follower can be removed at this point,allowingthedriverpinstospringfree,asinFigure3.12.

Figure3.12 Ifyoudoseektofullydisassemblethelock,simplyremovethefollowertoolandthedriverpinswillejectoutoneatatime.Takecaution,becausetheywilltendtoshootoutsignificantly as the stack springs are under pressure. Be careful not to lose these smallcomponentsastheyspringfree.

To reassemblea lock, simply reverse thisprocess. Slowly insertingaplug follower into a pin tumbler housing as springs and drivers areplaced in their chambers (a small pair of tweezers and/or a small

channelcutintothefrontfaceofthefollowertoolisoftenhelpfulinthispartof theprocess)willprepare it toacceptaplugthathasall itskeypins inplace.Withaplugfully-inserted, thekeycanberemoved(takecarenottoaccidentallystartbackingtheplugoutasyoudothis),thuslocking thewholeaffair together (as thedriverpinswill thenbegin tobind).Theplugcannowsafelyandeasilyhaveitsretainingcliporscrewcapreappliedtothetailside.

StarterExercisesYoumayusethefieldstrippingskillsdescribedintheprecedingsectiontobuildyourownprogressivelypinnedpracticelocks,oryoucanavailyourself of the training supplies that are commercially-available.Onceyouhavesuchsuitablelocksandastablemountingsurface(likeahobbyvice)trythefollowingexercisesasawayoffamiliarizingyourselfwithyour tools and the overall feeling of the lock, particularly the internalcomponents that you can’t visually observe directly. Lockpicking is allabout feel…theonlywayyou’regoing to“see”what’sgoingon insidethelockiswithyourhands.

Insertingandmovingthepick

Beginbytryingtobecomeawareatleastatabasiclevel,establishinganawareness of how deeply (or shallow, depending on your perspective)youshouldeverinsertalockpickintotheplug.Takeashorthookpicktool(Irecommendstartingwiththistoolfortheseintroductionexercisesas well as your first few attempts at picking; a full index of tools isavailableintheAppendix:GuidetoToolsandToolkits)andslowlyinsertitasdeeplyasyoucanwithinthekeyway.AsshowninFigure3.13,donotconcernyourselfwithreachingtoward(orevencontacting)thekeypins.Youare interestedonly inhowfar thepicktoolcanmovebefore

either reaching an obstruction or emerging out of the tail side of theplug.

Figure3.13 Insert a lockpick into the keyway as deeply as possible.When it strikes anobstructionandcannotproceedfurther,notehowmuchofithasenteredthelock.

Seeingjusthowdeeplyyoucaninsertapicktoolwillgiveyousomenotion of the working space that you have within the keyway.Remember,eventhedeepestpinstackwillnotbequitethisfarbackfromthe front face of the lock. Some people will chose to make a smalltemporarymarkontheshaftoftheirpicktool,areminderthatsignifies“Thepickneverneedstogoanydeeperthanthispoint.”Next, try positioning thepick at variousdepthswithin theplug and

see how high you can comfortably lift it in the direction of the pinstacks. You may be able to observe that at certain positions you areratherlimitedinyourliftingrange(Figure3.14),whileothertimesyoucanreachveryfarupbeyondthekeyway(Figure3.15).Youarefeelingthepinchambersandtheflatspacesbetweenthem.Bear inmind,youshould never concern yourself with lifting the pins beyond the “topheight” that you can reach in-between pin stacks (the height felt inFigure3.14),sinceanormaloperatingkeyinatypicalpintumblerlock

wouldneverneed(orindeed,beableto)liftupbeyondtheheightofthekeyway.

Figure3.14 Trymovingthetipofyourpicktoolinthedirectionofthepinstacks.Youwillfeelsomeobstructionatpointswhereyouarein-betweenpinsandyoustrikethe“top”surfaceofthekeyway.Thisisanimportant“height”sinceyoushouldrarely,ifever,havecausetopushthepicktoolbeyondthatlevel.

Figure3.15 Apickliftinguponapinstackandpushingitwellbeyondtheheightnormallyrequiredduringpicking.

Findtheveryfirstpinstackatthefrontmostpositionwithintheplug.While it is possible to visually detect when the tip of your lockpick

directly, recall that I am a big supporter of trying to distinguish anddiscernthingsbytouchalone.It’snevertoosoontodevelopthisskill.Bywhatevermeansyouchoose,bringthetipofyourlockpickrightupagainst the first key pin. Experimentwithways of pushing on the pinstack. The two primary ways of pressing on the pin stacks of a lockduringpickingarewhatIcallraisingandrocking.Aswithmostaspectsoflockpicking,asIamoftenwonttonote,it’salwaysatrade-offandbothtechniqueshavetheirownprosandcons.WhenpinstacksaremovedbythetechniqueIrefertoasraising,thepick tool is held relatively horizontal (in alignmentwith the plug andkeyway) thewhole timeand is lifted“vertically” in itsentirety towardthe driver pins. As seen in Figure 3.16, the tool’s handle is movedupward,andthisliftsthepinstack.

Figure3.16 ThemethodofpushingonpinstacksthatIrefertoas“raising.”

ComparethattechniquewithwhatIcall“rocking”thetool.Insteadofkeepingeverythingperfectlyhorizontal,inthismethodthehandleofthelockpickismoved“downward”whiletheshaftofthetoolrestsuponthebottomofthekeywayandpivots,asseeninFigure3.17.Thus,thetipof

thepicktoolmovesupward,andthisliftsthepinstack.

Figure3.17 ThemethodofpushingonpinstacksthatIrefertoas“rocking”.

Whichmethodisbetter?Well,that’slargelyafunctionofwhattypeofkeywayisinthelockthatyouarepicking…buttheoverallconcern(asis so often the case) is what works best for you. It is possible tosummarizetherelevantmeritsofbothtechniquesbysayingthatraisingcanoftenbeperformedmoreeasilyinverytightkeywaysthathavealotofwardingwhichcomplicatespickmovement,butrockingisofteneasierto control and allows formore nuanced articulation of the pin stacks,particularly in lockswherepinmovement is sticky, tight,orotherwiseless than ideal. Once you have experimented with both of thesetechniquesandgottena feel forhowyourpicktool fitscomfortably inyourhand (again,whatever seems toworkbest foryou is fine…somepeoplewillholdalockpicklikeapencil,otherslikeachopstick,andstillotherswill grip itwith theirwhole fist andperhaps extendone fingerdownalongtheshafttobetterfeelthesubtletactilecluesthatalockwilloffer when being probed and picked. See Figure 3.18 for examples ofeachofthesedistinctstylesofholdingalockpick.

Figure3.18 Threedifferentstylesofholdingalockpick.Neitheris“superior”totheothersinanykeyway.All thatmatters iswhat ismostcomfortable foryouandwhichgivesyouthebestarticulationandtactilefeedback.

Feelingthespring

The time has come when you will want to begin working with aprogressively-pinned training lock. Start out with just a basic“ProgressiveNumberOne”…thatistosay,alockwhichcontainsonlyasinglepinstackinthefirstchamber,asshowninFigure3.19.

Figure3.19 Thefirstlockinanyprogressivelypinnedsetoftraininglocksshouldcontainonlyasinglepinstack,locatedinthefirstpinningchamber(theoneclosesttothefrontfaceofthelock).

A tension tool isnotneeded for this exercise;useonlya shorthooklockpick.UsingthepushingtechniquesdescribedintheprevioussectionandshowninFigures3.16and3.17,andholdingashorthookpickusing

anyofthestylesshowninFigure3.18(oranyothergripyoufindmostcomfortable),liftthispinstackasshowninFigure3.20.

Figure 3.20 Lifting the only pinned chamber in the first lock of a progressive set. Notensiontoolisbeingused.Alloneneedstoholdisahookpick.

Feelthepinstackmoveupanddown.Canyoufeeltheresistanceofthespringwhichispartofthisassembly?Nomattertheangleatwhichthe lock is held, the resistance you feel should remain consistent.Remove the pick, reinsert it, find that first pin stack, and feel theresistanceofthespringagain.

Settingasinglepinstack

Remove your lockpick tool from this Progressive Number One lock.Insert a tension tool into the keywayandapply tension to theplug ineither direction you desire. Use any tensioner you like, in whatevermanner you choose… but, as described earlier and shown in Figures2.28,2.29,and2.30,thenatureofyourgripandapplicationofpressureonthetensiontoolwillhaveasignificantimpactonhowsuccessfulyourpickingattemptsarelikelytobe.Doyourverybesttoapplyverylightpressuretotheplug.Becauseyouarecurrentlyworkingwithalockthat

hasonlyonepinstack, therecanbenodoubtas towhere thebindingdriver pin in the lock is currently located. It is in the first chamber…thatistheonlypossiblechamber,sincethisistheonlypinstackpresent(seeFigure3.21).

Figure3.21 Withtensionappliedtothefirstlockinaprogressivekit,thereisnoconfusionastowherethebindingdriverpinislocated.

By whatever method you choose, push this binding pin stack (seeFigure 3.22) until the driver pin sets at the shear line. Since no otherpinsarepresent inthe lock, theplugwillcompletelyturnat this time.While itmaynot seem impressive, given that such a lockwith only asinglepinstackputsuplittleresistanceatall,donotdiscounttherealityofwhathashappenedjustnow…someofyoumayhavejustpickedyourfirstlock!

Figure3.22 Pushingontheonlybindingpinstackwithinthisfirstprogressivelock.

LearningExercisesWith the fundamentals now laid down for holding and operating yourtools, and with an in-depth understanding of how locks function andhow pickingworks, it is now time for you to try a series of exerciseswhichshouldhelptodevelopyourabilitiesasalockpicker.Noonecanbecomeamasteratanyintricateskillovernight,butIamconfidentthatif you follow along with some of these suggested exercises, you’llachievegreater success ina shorterperiodof time thanyouotherwisemightusingothertrainingtechniques.

Slowdown,lightenup

Startwiththesameprogressive lockfromthepreviousexercise. If it isstill “picked” turn it back to the center position and let thedriver pindropbackintotheplug,lockingitinplace.Pickthelockagain,thistimemoreslowly.Reallytrytocontrolverydeliberatelyhowyouliftthepinstack. Once it is picked, reset it again. Pick the lock again, trying todeliberatelyapply lesspressure to the tension tool.Reset the lock,andnow pick the lock yet again, this time conscientiously using even less

pressure on the tension tool. Each time, you may start out thinking toyourself, “I was already using a ridiculously light pressure on thetensioner…there’snoway that thiscanwork this time.”Still, Iallbutguaranteethateachtimeyoulightenuponyourtensionpressure,itwillactually feel much easier to move the pins and to allow the “click”momenttohappenasthedriverpinsetsattheshearline.Whatyoureallywanttofeelisthedistinctionbetweenanon-binding

pin stack (which will offer some degree of resistance, due to thepresence of the spring within the pin stack) and a binding pin stack(whichshouldofferconsiderablymoreresistancewhenyouliftitwhileattempt to set thedriverpin).Alternatebetweenattempting to lift thepinstackwithnotensiontoolatallinthelockandapplyingtensionasyoulifethepinstack.

Tip

Learning todistinguishbetweenabinding andanon-bindingpin stack is perhaps themost

essential aspectofbecominga skillful lockpicker.Really take the time to alternatebetween

differentstylesofholdingyourtools,applyingtension,andpressinguponthepinstackwhen

working with this first progressively-pinned lock. By becoming adept at distinguishing

betweenthefeelofabindingandanon-bindingpinstack,youwillbemuchmoresuccessful

inyourattemptstoidentifythebindingpinamidawholeseriesofpinstacks.

Twopinstacks

Onceyoufeelconfidentwithyourabilitytodiscernsomeofthetactilefeedback that a lock can offer you, switch to the second lock in yourprogressivelypinnedkit.ShowninFigure3.23, this isa lockwith twofunctionalpinstacks.

Figure3.23 Thesecondlockinaprogressively-pinnedtrainingkit.

Thiswillbethefirstlockwhereyoucantrulyattempttoobserveandrecognizewhenyouhavesuccessfullysetonedriverpinbutnotyetfullyunlockedalock.Applyverylighttensiontothelock(inthemanneryoutrainedyourselftodointhelastexercise)andtrytopushuponeitherofthe two pin stacks. Can you distinguish which one offers almost noresistance?Now,animportantconsideration…ifyoupushproperlyonthe binding pin stack, can you observe the behavior of the lock(particularlytheplug)whenthisfirstpinoutoftwobecomessetattheshearline?There isavery real chance thatyou’llbeable to feeland/orheara

slight clickwithin the lock.Whilemany of us in the physical securitycommunity are quick to point out that lockpicking isn’t a visual art, Iwillmentionherethatitmayevenindeedbepossibletolookatthefaceofthelockandobservethismomentwhenonepinhassetduetoslightrotation of the plug. Some peoplewill even choose tomake amarkerlineonthefrontoftheirlock(asshowninFigure3.24)andthusbeabletomore clearly seewhenmovementhasoccurred (as shown inFigure3.25).Whilethismaynotbenecessaryatthisearlystageofthelearningprocess, it can still be slightly helpful to some people… and it most

certainly can be used to great effect later on when we discusscircumventingpick-resistantpinsinChapter4.

Figure3.24 Amarkerlinedrawnonthefrontfaceofalock,showingthedefaultalignmentoftheplugwithinthehousingwhenitisatrest.

Figure3.25 Afterapinhasbeensetandtheplugrotatesslightly,themarkerlinemaybeabletohelpyouobservethissubtlemovement.

Attempttopickthissecondprogressive lock(whichshouldn’tbetoodifficult, given that it has only two pins) a few times. Try to observe(eithervisuallyormanually)themomentthefirstpinissetandtheplugclicksslightlyintoposition.Tryturningintheoppositedirectionasyou

makesomeofyourattempts.Doesthesamepinseteachtime?Ordoesthebindingorder reverse?Thiswillbecomean interestingquestionasyoumoveontothreeandfourpinstacksinalock,etc.Rightherewouldperhapsbethebestplacetomentionacouplenotes

about the picking process that are occasionally points of confusion forpersons just startingout,as theybeginreally learninghowtosetpins.Sometimesthereexistssomeconfusionwithrespecttothekeypin(the“bottom” pin in the stack) and its movement and position within theplug during picking. Some novice pickers can be seen peering deeplyinto the keyway of a lock upon which they are working, and aresometimesheardtoremarkwithdisappointmentthattheyfeeltheyhavesetapin,butit’snot“staying”up.Whattheyareoftenobservingisthekey pin, which is now free tomove around in its channel within theplug.Thisistotallynormal.(ThiswasreferencedinChapter2andsuchfreedomofmovementwaseven shownspecifically inFigure2.21.)Donotassumethatyouarenotproperlysettingdriverpinssimplybecauseyouarestillseeingthetipsofpinshanginginaverylowposition.Itisnot necessary (or, indeed, desirable) to keep the entire pin stack(includingthekeypin)completelystatic.Onedoesnotpushtheheadofthetensiontooldeeperintothelock,either,inanefforttocatchortrapsuchpinsandpreventtheircontinuedmovement.Intheveinofourexercisefor“discerningtypesofpressure”whereI

askedyoutoattempttodistinguishbetweennormalspringforceandabindingpinstack,wecouldaddathirdcategory…canyoudiscernwhenyouarepushingonapin thathasnopressureactingupon it from theoppositeside?Whennosprings,nobinding,nothingatallcanbefelt…youarealmostcertainlyjustfeelingakeypinthatisfloatingfreewithinitschamber,andyouhavelikelysetthedriverpininthatposition.

Threepinstacks

Have you been able to feel the clicking of the first driver pin you setwhile working with the second lock in your progressive training kit?Haveyouobservedslightrotationoftheplug,orheardanaudibleclickwhenthistookplace?Ifyouareconfidentthatyouareabletodiscernthesesubtlecues,youmaybereadytomoveontoalockwhichfeaturesthreepinstacks.Eitherobtainthethirdlockinyourprogressivetrainingset, or, if you are working with a drilled-and-tapped practice lock orusingfieldstrippingtechniquestobuildupalockasyougo,reconfigureyourexistinglocktoincludethreepinstacksasshowninFigure3.26.

Figure3.26 Thethirdlockinaprogressively-pinnedtrainingkit.

Continueattemptingtopickasyoudidinthepreviousexercisewhichfeaturedthetwo-pinlock.Canyouhuntaroundandfeelforthebindingpinstack,thenpressuntilyoufeelthedriverpinsetattheshear line?Can you distinguish the specific order inwhich the pins are binding?Does that binding order seem consistent, provided you continueproviding tension inauniformdirection?Tryapplyingyour tension intheoppositedirection…howdoesthisaffectthebindingorder?If you are not self-conscious about it, I highly recommend trying to

pickwithyoureyesclosed,particularlyonceyoureachthispointinyourlearning process. This can really encourage you to pay attention withyourearsandyourhandsandhelpyoutonotrelyexclusivelyonvisualevidence,whichshouldbecomelessandlessinstrumentaltotheprocess.Somepeoplereportasignificant increase indifficultybetweenlevels

threeandfourofaprogressivelypinsetofpracticelocks.However,fearnot…itisn’tnecessarytoimmediatelyjumprightuptothenextlevel.Ifyou are enjoying yourself and you feel you are learning a lot with aProgressive Number Three type of lock, you can continue challengingyourselfanddevelopingyourskillswiththispiecealoneforabitlonger.In addition to attempting to pick in both directions, try attempting topickwithvariousstylesoftensiontool.Centeroftheplug,edgeoftheplug,andevenwishbonetoolscanallbeusedandtheywillperformintheir own unique ways. Try both the raising as well as the rockingmethodsofpushingthepickintothepinstacks.Youmayhavealreadysettled in to a happy routine, featuring the particular tools andtechniquesthatyoulikethemost…butexpandingyourlevelofcomfortwithawiderangeof tactics isaverygoodthing.Andit’s fareasier toachievesuchcomfort(andtofeelsatisfactionasopposedtofrustration)when working with an easy-to-medium level lock such as one whichfeaturesonlythreepinstacks.You can vary the situation a bit and keep the challenges interesting

evenwithinthissinglelockbyfieldstrippingit(orbyremovingthetopretaining screw caps, if you are using a drilled-and-tapped lock) andrepinning it inadifferentorder.Remember,evensimplyswitchingthedriver pins around can sometimeshave an effect on thebindingorderand the ease with which a lock can be manipulated. True, theinconsistenciesinthedrillingofthepinchambersoftencontributemuchmore to the specifics of binding order, but do not discount the pins.

Changing around the existing components within a three-pin lock canofferadditionalchallengesifyoufeelyouaren’tquiteuptothedifficultyofalockfeaturingfourworkingpinstacks.

Warning

If you opt to re-pin your number three lock as advised here, or any of your locks for that

matter,youshouldbearinmindthatthiscanremoveyourabilitytooperateapracticelock

withitsoriginalkey,shouldithavecomewithone.Now,thismaynotmakelifedifficultwith

a three-pin or even a four-pin lock, but if you suddenlyhavenowayof easily unlocking a

ProgressiveNumber Five orNumber Six, youwill have a hard time field stripping it again

should you wish to remove pins, reconfigure the lock, etc. Of course, a drilled-and-tapped

cylinderwillnotoffersuchanobstacle,because the topsof itspinchamberscanalwaysbe

removedandallpinstackscanbedumpedoutatanytime.

Fourpinstacksandbeyond

Onceyoubeginapplyingthesesametechniques to lockswith fourandfive pin stacks, you are essentially picking real-world locks. Manycommonpadlocksfeatureonlyfourpinstacks(liketheprogressivelockshowninFigure3.27)andwilloffersimilar levelsofresistancetoyou.The bulk of door locks in North America (especially in residentialsettingsandsmalleroffices)arefive-pinlocks.

Figure3.27 Thefourthlockinaprogressively-pinnedtrainingkit.

Itisentirelypossibleatthispointforyoutovisityourlocalhardwarestore and seek to acquire additional practice locks. I will offer thefollowingthreetipsofguidancetoyouwhenitcomestoacquiringnewpracticelocks:

Tip

1. Spend Wisely—Don’t go crazy right off the bat, buying a dozen or more locks at the

hardwarestore.Youmayhavejustwoundupwithvirtuallytwelveofthesamething.Now,

it is true, sometimes two instances of the exact samemake andmodel lockwill perform

differentlyduetovariationsintheirmachining.However,ingeneralit’sbesttotryforsome

healthyvarietyofbrands,styles,andmaterialsinyourlockswhenyou’relearning.

2. Security Pins—Occasionally, even cheap locks at local hardware storeswill feature some

anti-pickdriverpins(or,morethanlikely,theywilloccasionallyfeatureonesinglesecurity

pinsomewhere).Wehaveyettodiscussthepickingofsuchpins,butwewillcoverthatin

thenextchapter.

3.TooCheapCanBeUnhelpful—Somepeoplewhoexperiencedconsiderabletroublepickinga

four-pinandfive-pinlockwhenworkingwiththeirprogressivetrainingmaterialsmaytryto

minimize the level of difficulty at the hardware store level by obtaining the absolute

cheapestlockstheycanfind.Afterall,giventhatpickingismadepossiblebyimperfections

thatarisewithinalockduetocostsavingsduringmanufacturing…it is logicaltoassume

that thecheaper the lock is, themore flaws itwilloffer,and thus theeasier itwillbe to

pick. This is not always the case. Granted, cheap locks will almost always feature many

minorblemishesand imperfections.However,very cheap lockswill sometimescome from

factories with very bad quality controls. In such extreme instances, the locks may not

adequately“behave”properly,forlackofabetterterm.Theremaybesomuchwiggleand

flop of the plug within the housing that discerning where and how to tension the lock

becomesandelicate,ifnotimpossible,task.Theremaybesomuchimperfectionamongthe

shapeofthepinsandtheirlackofatightfitwithintheirchambersthatthelockcanbeset

inalmostanyorderandwithtremendousease.Whiletheseincrediblycheaplocksmightbe

of some use to an individual who is practicing raking techniques, they are usually

frustrating,morethananythingelse,tosomeonewhoisseekingtoliftindividualpinstacks

with precision. I’d stay away (at least at first) from locks that featureno brand name or

significantmarkingsandwhichperhaps cost less than fiveU.S.dollars.This isnot to say

thatsuchsloppylocksaren’taninterestingchallengeforanestablishedlockpicker(afterall,

trying todrive fastdowna slickordebris-filled roadmightbea challenge for a race car

driver, and this could bring them more in touch with the intricacies of their particular

hobby),butIdorecommendthatpeoplewhoareinitiallyworkingtheirwayuptofour-pin

and five-pin locks try to stick tomiddle-of-the-roadqualityproductswhenbrowsing store

shelves.

ChallengingYourselfFurtherSo… perhaps you believe that you’ve exhausted the possibilities forchallenging yourself using progressive training locks and the basicmaterials thatyoucanbuyat the store.Well, thereareactually still anumberofthingsyoucandowiththisintroductoryequipment.Byusingthe field stripping skills described earlier in this chapter, or simplybyunscrewing the tops of a drilled-and-tapped practice lock, you can

reconfiguresomeofthechambersandpinstackstothefollowing,moreadvancedstyles.

Deepreachpractice

Takealookatthekeysonyourkeyring.I’mwillingtobetthatfew,ifany,ofthemfeatureanentirely“downwardstair”patternofbittingcutsthat grow increasingly low as you look out along the blade, movingawayfromtheshoulder.Almostalwaysthereissomepointwithinalockwhere youmust push “up” (from aNorth American perspective) on adeeperpinwhiletakingcarenottooverliftadditionalpinstacksclosertothefaceofthelock.You can pin your locks specifically in ways which allow you topracticethisskill.Beginwithasimpleapproach,usingalockwithonlytwo working pin stacks. Ensure that the front-most key pin (the oneclosesttotheouterfaceofthelock)islonger(thusrepresentingadeepercutonthekeybladeat thatposition) thanthekeypin inthechamberbehindit(seeFigure3.28).

Figure 3.28 A “deep reach” practice lock, equipped with a longer key pin in the firstchamber.

Use this lock to examine whether or not you have any difficultyreaching far enough with your hook to work on the rear-most pinwithoutdisturbingthepinstackwhichisclosertothefrontfaceofthelock(seeFigure3.29).

Figure3.29 Reachingcarefullywithapickinordertopushonashorterkeypin,buriedmoredeeplywithinthelockthanamuchlongerkeypinwhichislocatedinthefirststack.

Experimentwithmovingthispairofpinstacksdeeperwithinthelock.Installtheminthethirdandfourthchambers,orperhapseventhefourthand fifth! Can you still reach adequately and appropriatelywithin thelock?Canyoupick it ina repeatableandreliable fashion?Experimentwithdifferenttypesoftensiontoolshere,too.Usingastandardtensionerattheedgeoftheplugmaynotleaveyouenoughroominthekeywaytomake this reach from such an extreme angle. A flat style tensioner,insertedatthemiddleoftheplug,mightbecomenecessary.Youcanbegintoattemptthismannerofdeepreachpickingonlocksthatcontainincreasingnumbersoffunctionalpinstacks.Byalternatingbetweenlongandshortkeypins(withshorteroneslocatedonechamberdeeperthaneachlongone,asseeninFigure3.30)youcanbegintoofferyourself some serious challenges… often beyond evenwhat youmight

everfindontypicalstoreshelves.Thisisbecauseofaconsiderationwithwhich professional locksmiths must address on a regular basis:something known as a lock’sMaximumAdjacent Cut Specification, orMACS.

Figure3.30 Apracticelockthathasbeenkeyedinarepeating“high/low”patterninordertoofferalockpickeranadditionalchallenge.

Manufacturers of locks do not just codify the depths of the possiblebittingcutswithscalar,numericalvalues.Other factorsexist regardingpinsizeandpinorderwithwhichalocksmithmustcontend.Onesuchissuepertainstothesizesofkeypinswhichcanbeplacedsidebysideina lock. Two exceedingly different-length pins cannot usually occupychambersdirectlynexttooneanother.Thisisbecausecutsonthebladeof a keymust bemade at specific, gently-sloping angles. Consider theblade of the average key we have been discussing in this book’sillustrations, first appearing in Figure 1.22. Think about how the pinstacksrideagainstthekeyasitentersthelock,asshowninFigure3.31.What if thecutson thebladeofakeyweremadeatverysharp,more“vertical”angles?HoweasilycouldthekeydepictedinFigure3.32enterthelock?Itwouldbemuchhardertomovethebladealongthekeypins.

Figure3.31 Atypicalkeybeinginsertedintoalock.Thekeyexperienceslittledifficultyasittravelsintothekeyway.

Figure3.32 Ahighlyatypicalkey featuringbittingcuts thataremuch steeperandmoreverticalontheirsides.Howeasilycouldakeylikethisbeinsertedintothelock?

ThereisnothinginparticularaboutthekeyinFigure3.32thatwouldmakeitunsuitedtorotatetheplugofthislock;itwouldraiseallofthepinstackstotheirrequisiteheights,afterall.But itwouldprobablybequiteanordealtogetthiskeyinsertedinto(nottomentionsubsequentlyremovedfrom)thekeyway.Thebittingcutsonthebladeofakeyneedtobeatashallowenoughangletoprovidethegentleslopenecessarytoallowforeasymovementofthepinstacks.Ifaverylongkeypin(say,anumbereightbittingsize)wereinstalledinalockrightnexttoaverysmallpin(perhapsanumbertwopin),oneoftwooutcomeswouldbelikely.Eitherthebittingcutsonthebladeofthekeywouldhavetobemadeexceedinglysharpandvertical,similar

towhatisseeninFigure3.32,orthe“deep”cutofanumbereightvaluewouldhaveacollateraleffectontheadjacentcutpositions.Abittingcutat depth number eight (if made with a traditional, wide, and gently-angled cuttingwheel)would “spill over” to a large degree, preventingthatsamecuttingwheelfromcreatingapropernumbertwocutdepthatthenextposition.Because of considerations likeMACS that affect products in the realworld,itisevenpossibleforyoutocreatepracticelocksthatexceedthelevel of difficulty (as far as bitting codes are concerned) which youwouldfindintherealworld.

Blindlymixandmatch

There’snosubstitutefortheelementofsurprise.Ifyouhavepinnedandassembled a lock yourself, you will have a pretty good idea of whatcomponents are inside even after you can no longer see them. Fieldstrippingandreconfiguringyourpractice locksare indeedfinewaystooffer yourself some additional challenges, but formaximumeffect youmight consideraskinga friendorassociate toplay the roleofpseudo-locksmith for you. Put them in charge of reconfiguring the lock, thensimplygivingitbacktoyou.Youarenowabletobegininspectingitandattackingit,blindtowhatspecificcomponentsareinside.Agreatmanypossiblegamesandchallengescanbepossiblelikethis.One such game is similar to a training activity that some of myassociatesinthephysicalsecurityworldandIenjoyatthefiringrange.Itworksbyhavinganassociateloadthemagazineofanautomaticpistolorrifle,insertingadummyroundofammunitionsomewhereinthestackoftraditionalbullets.Whenthismagazineissubsequentlyused,atsomepointduringyourshooting,thedummyroundwillbeencounteredandthegunwillfailtofire.Asashooteryouthenreactaccordingly,clearing

themalfunctionandreengaging the targetasquicklyandefficientlyaspossible,andone’sbehaviorundersuchascenariocanbeevaluatedandassessed.Thefactthatyou,theshooter,didnotloadthemagazineaddsgreatly to the realismandusefulnessof thisexercise, sinceyoucannotpredictwhen(ifever) suchan inconsistency in theperformanceof thehardwarewillhappen.Considerhavingyourfrienddosomethingoddtoonepinstackofthelock when they are assembling it. If you can spare a spring, cut onedown to a smaller size (as seen in Figure3.33). Even though itmightlookquitestrange(andcouldeliminateyourabilitytouseakeyinthelock until the next time you field strip and reconfigure it yet again),considerhaving someoneuseadriverpin inplaceofakeypin inonechamber(asseeninFigure3.34).

Figure3.33 Apracticelockthatfeaturesaspringinonechamberwhichisdifferentfromalltheothers.Thespringinchambernumberfourhasbeencutslightly…thusofferingslightlylessresistancewhenpressedupon.

Figure3.34 Apracticelockthatfeaturesakeypininonechamberwhichisdifferentfromalltheothers.Inthefourthchamberadriverpinisbeingusedasapseudokeypin.Thismightnot function properly (note how it cannot drop completely into the pin chamber due to itsdistinctshape)butcanmakeforafun,unexpectedfeaturewithinalock.

Reaching into such a lock and being asked to simply “inspect” eachchamberwithone’spicktool, tryingtofindwhichpinstackisnot liketheothers,canofferauniquechallengeandhelpsomeonedeveloptheall-importantskillof“seeingwiththeirhands”whichisessentialtotheprocessoflockpicking.Of course, beyond these particular diversionary games, it is entirely

possibletogetalotofgoodpracticefromsimplyaskingyourfriendsandassociatestore-pinfunctionallocksforyouinordertointroduceplentyofvarietyrepresentingallthedifferentordersofbittingandbindingthatyoumayfacewithlocksintherealworld.

UsingRakesandJigglersIt ishard to spendconsiderable timedescribinghow touse rakepicksand jiggler tools.Themethod is so randomandsuccesscanhappensosuddenlyasaresultofanumberofsmall,perfectly-timedcoincidences.Still, I can try to offer a few points of advicewith respect to the use

theseitems:

1. Speed—When either raking or jiggling, fast movement is key.Remember, these are not finesse techniques; they are designed tocatchmultiplepinsormultiplewafers in the rightplaceat the righttime.

2.Variation—It’snevereasytopredicttheexactrightpositionforone’srakes or jiggler tools. The onlyway you’re likely to get luckywhenattemptingtoattacka lock in thismanner isby introducinga lotofvarietyintotheuseofyourtools.Holdtherakeperfectlyhorizontal,thenangled slightlydownward,andalso slightlyupward…allwhileyouaremovinginandoutofthelockrapidly.Youcanevenkeeptherakerelativelyhorizontalbutvarytheoverall“height”atwhichit isbeing positioned in the keyway. Using some degree of varyingpressureonyourtensiontoolisalsooftenahelpfultacticifyouaren’texperiencingmuchluck.

3.LightTension—Duetothefeverish,oftenviolent,movementsthatareassociatedwith rakingand jiggling, it is sometimesveryeasy to slipintothebadhabitofapplyingtoomuchpressureonthetensiontool.Nomatterhowclenchedyourmusclesare inonehand,as it rapidlymovesyourrakingtoolbackandforth,keepyourotherhandrelaxedanddoeverythinginyourpowertoapplygentle,subtletensiontotheplug.

Techniquesoftoolmovement

Rakesandjigglertoolscanbeoperatedinanumberofways.Theycanbe held almost perfectly horizontally and moved directly along thebottomsurfaceofthekeypinsinalock,asdepictedinFigure3.35.Thissamemotion (a direct in-outmovement perfectly parallel to the pins)canbeperformedwith the rakeheld at varying angles, as depicted in

Figure3.36.Jigglertools,ontheotherhand,areoftenusedwithamuchgreaterfocuson“vertical”movementsaccompanyinganyin-outmotion.Aseriesofpunctuatedupanddownmotionscanforcethepinsorwafersdramatically,asyouhopetocatchmostorallofthemclosetotheshearline at the same time. This motion (shown in Figure 3.37) is lesscommonlydonewitharakepick,butitcanstillbeattemptediftheneedarises…particularlywithwaferlocks.Ofcourse,therearealsotoolslikethe famous Bogotá picks (which will be discussed further in theAppendix:Guide toTools andToolkits) and they can indeed be used inthisfashiontogreateffect.Thelaststyleoftypicalrakeandjigglerusagecouldbecalledthe“elliptical”movement.Likeapistonconnectedtoacrankshaft,thetipofyourrakeorjigglertoolisworkedinandoutofthelock while the handle is moved in large, curved arcs. This results inrelatively straight in-out movement of the tool’s working surface, butwith the additional virtue of many small fluctuations on the angle ofattackatwhichthetipisbeingheld.TheellipticalstyleofmovementisdepictedinFigure3.38.

Figure3.35 Straightin-out,lateralmovementofarakepick,heldhorizontallyandmoveddirectlyalongthekeypins.

Figure3.36 Angledin-out,lateralmovementofarakepick,heldataslightlyoff-anglebutmoveddirectlyalongthekeypins.

Figure3.37 Jaggedverticalmovementswitharakepick.Thistechniqueisactuallymuchmorecommonlyusedwithajigglertoolasopposedtoapick,butinawaferlockthismightbeeffectivewitharakepickifforsomereasonin-outmotionishavingnoeffect.

Figure3.38 Ellipticalmovementwitharakepick.Thehandleisworkedinwide,repeatedarcsasthetoolismovedinandoutofthelock,providingaseriesofnicelyvariedmovementsonthepartoftherakeorjigglertip.

Aswithallotheraspectsof lockpicking,gowithwhateverworks foryou (and doesn’t result in lock damage or some other epic fail in theprocess) and you’ll be fine. Practice until you’re comfortable andconfidentwithanytoolsandtechniques…evenonesofyourowndesign.

WaferLockExercisesInspiteofthefactthattheyareofamuchsimplerdesign,somepeople

experiencedifficultywhenpickingwafer locks for the first time. Sincetheyarenotattackedwithconventionallifting(whichiswhatalloftheexercisesherehave focuseduponupuntil this point in the chapter) itmaybehardtoimaginejustwheretostartwiththerakingandjigglingattacksthatarenecessary.

Progressivewaferlocks

I am not aware of any training supply outfit that sells progressively-assembledwaferlocksets.Youwilloccasionallyseeafewforsaleataconference,butmostvendorsdonotproduce them in largequantities.Thisisduetothefactthatjustaboutanyonecancreatetheirownsuchkit with ease, quite quickly, for almost no cost. Obtain three or fourwaferlocksfromahardwarestore(checkinaislesthatfeaturewindowlocks, hinges, and hardware for sliding glass doors) that prominentlyfeatureascrewontheirtailside.These lockswillusuallybeable to completely slideapartwhen that

screw is removed.Thiswill expose thewafers andallowyou to easilyyankoutanythatyouwishtoremove.Useapairofneedle-noseplierstopull(orevenaflat-headscrewdrivertopush)theunneededwafer(s)outoftheplug,thenreassembleit.Trustme,youdonotneedtostartwithasingle-wafer lock. Even attempting a two-wafer lock will seem trivial.(That isnot to say that such locksdon’t exist in the realworld…theydo!)Wafer locks of this variety often cost five dollars or less. You can

create awhole progressive set, if you reallywant to, for less than thecostofasetofpicktools.

Tensioningwaferlocks

Some people have difficulty adapting to the oddly square keyways on

waferlocks.Sinceanythinginsertedintosuchalockcaninevitablystickclear through thewaferswithin the plug, it is possible that the longerheadofastandardtensiontoolwilldisturbtheprocesssomewhat.Don’tbeafraid to experimentwitha flat tensioneror evenawishbone styletool. Ifyouarestillhavingtroublewhenjuststartingout, tryapplyingtension to theplugbypressingmanuallyon the tail cam(as shown inFigure3.39)asopposedtousingatensiontoolatall.Onceyoubecomecomfortable with raking by this method, you can try working with apropertensionerinstead.

Figure3.39 Applying tension toawafer lockbypressingwithone’s fingerdirectlyuponthe tailcaminsteadofusinga tension tool.This isn’t somethingyoucando in therealworld(sincethetailpieceisessentiallyalwayshiddenfromeasyaccess),butthistechniquecanhelpyoubecomemorecomfortablewithrakingandjigglingawaferlockwhenyouarejuststartingout.

Trustme, it will get easier. If you are having a lot of trouble withwafer locks at first, you’re over thinking it. Relax, vary your angle ofattackandyourtension,anditwillallfallintoplace.

ExtraHintsIf you try to walk through the exercises suggested in this chapter, Iguarantee you will be amazed at how quickly you will start to seeresults.Asyoustarttoexperimentwithmoreandmorereal-worldlocks,the following advice may serve you well and help you to overcomeminorconfusingissuesthatcropup.

Whichwaytoturn

A common inquiry when people are in my classroom trainings andpublic lectures is,“Whichdirectionshould I turntheplug?”Whenyouare attempting to pick any practice locks, they will almost always beable to turn in either direction. Of course, the binding order willtypically vary… not to mention that in one direction you will beunlockingwhileturningintheotherdirectionwillentailrelocking.Still,sincethisbookisgearedprimarilytowardspenetrationtesters,wewillassumethatyouaremostinterestedindiscerninghowtounlockitemsthat you encounter in a secured state during auditing and assessmentjobs.

Unlockdirectionforpintumblerlocks

Thisisactuallyquiteasimpletopic,mostofthetime.Padlocks(asseeninFigure3.40),whetherlargeorsmallorexpensiveorcheap,willtendtoopeniftheplugturnsclockwise.Onparticularlybasicpadlocks(liketheMasterNumber3padlock)itisoftenpossibletoturntheplugeitherwayandstillreleasetheshackle.

Figure3.40 Padlocks…alwaystryturningtheplugclockwiseifyouwanttoopenthem.

Fordoorknobsthatfeatureintegratedpintumblercylinders(theseareknown as key-in-knob locks and one can be seen in Figure 3.41), thereverseisalmostalwaystrue.Turningtheplugcounterclockwiseisthedefaultdirectiontounlockthesemodels.Inrecentyears,however,therehas been an emerging trend—particularly on the part of the Schlagecompany—to produce doorknobs which open by turning their lockclockwise.

Figure3.41 Lockingdoorknobs…alwaystryturningtheplugcounterclockwiseifyouwanttoopenthem.

Just about the only time life gets complicatedpertains todeadbolts.Therulesherearenotquiteasconsistentandregularasthosedescribedabove, but I will give you the best advice that I can. To make aneducated guess as to which direction it will be necessary to turn adeadbolt inorder tounlockadoor, it is important tounderstandsomeverybasicfeaturesofhowdeadlatchmechanismsinteract,howtheboltisthrown,andwhythismakesvariousdoorsworkdifferentlythanyoumightexpect.Deadbolt locks consist of a boltmechanism that is acted upon by a

camwithinthedoor.Thecamisintegratedinsomefashiontotheplugof the deadbolt’s lock, often by means of a tailpiece, but sometimes(particularlyonEuropeanlockcylinders) thecamis integrateddirectlyintotheplugandnoteasilyremoved.Theactualboltmechanismtendsto be mounted slightly above the lock (and here, the term applieswithout much worry of geographical bias, since no matter what

direction the lock ismounted in its fitting, theboltdoesalmostalwaystend tobe installed in thedoor inaposition that isvertically “above”theplugandcamcomponentsofthelock).Whentheplugisturned,thecamwilloftentendtointeractwiththe

bolt upon its “bottom” surface. Observe the diagrams in Figures 3.42,3.43,and3.44tobetterunderstandthisrelationship.Thecruxofwhatmust be understood is that to cause movement of a deadbolt, youtypicallywillwanttogetthetopoftheplugmovinginthedesiredunlockdirection.Inthehypotheticaldeadboltinthesediagrams(mountedinadoorsuchthattheboltprotrudesouttheleftsidewhenyoulookatthedoorexternally)youwantthebolttomovetotherightduringunlocking.Thus, to get the top of the plug moving in a rightward direction, thatwould entail trying to rotate the plug clockwise. If this door werereversed(withhingesontheleftsideasyouapproachitandthuswiththe lockingboltprotrudingoutwardand intoadoor jambontherightside), then you would be best served by attempting to turn the plugcounterclockwise…thusmakingthetopoftheplug(and,byassociation,theboltitself)movetotheleft.

Figure3.42 Adeadbolt installed in adoor,with the lockingboltprotrudingout the leftside.

Figure3.43 Thispseudo-cutawayviewattemptstoshowtherelationshipbetweentheplugandthelockingbolt,bymeansofacamontherearoftheplug.

Figure3.44 Inthisparticulardeadbolt,turningtheplugclockwise(fromtheperspectiveofsomeoneoutsidethedoor)wouldretracttheboltandunlockthedoor.

Ofcourse,ifyoupickalockinthewrongdirection,it’srarelytheendoftheworld.Simplyfliptheplugbackuptoitsdefaultpositionandtrypicking in the other direction. There are even specialized tools calledplugspinnerswhicharedesignedtointroducearapidrotatingmovementto the plug (usually by means of discharging a spring that has beenplacedunderpressure)inthedesireddirection.Thus,ifyouhavepickeda lock in the “wrong” direction (either by mistake or because it wassimplyeasierthatwayduetothebindingorder)aplugspinnercanhelpyouattempttostill fliptheplugtheotherwayandthusopenthe lockwithouttheneedtore-pickthecylinderasecondtime.

Unlockdirectionforwaferlocks

Worryingaboutwhichdirectiontoturnawafer lockisrarelyanissue.These devices are typically so simple to pick that it’s faster to just tryonedirectionandifthatdoesn’thelpyou,trythereverse.

Plugsstuckupsidedown

ThelasttipIwillgiveyoubeforeclosingoutthisespeciallylongchapterpertains to a situation inwhich youmay occasionally find yourself. Ifyoupickalockandturntheplugafullonehundredandeightydegrees,occasionally itwillbecomestuck in thisposition.Donotpanic.Figure3.45shouldgiveyouagoodideaofwhatmayhavehappened.

Figure3.45 Aplug thathasbecome“stuck” inan“upsidedown”position isoftenbeingheldthatwaybyoneormoredriverpinswhichhaveslippedintotheundersideofthekeyway.

Somekeywaysarecutwideenoughat theirbase toallowthedriverpinsinalocktofalloutofthehousingslightlyandslipintotheplugatits underside if it has been turned completely around. This wouldnormallynottakeplaceduringroutineoperationofthelockbecausethemetalbladeof thekeywouldbeoccupyingthisspace inthekeyway…that,plusthefactthatmanylocksneverrequireafullonehundredandeightydegreerotationinordertolockorunlock.In any case, if you do accidentally get stuck in this fashion, simply

insert a tool with a perfectly flat surface (the underside of a half-diamondpickwillworkwell)upagainst thedriverpinsand try to liftthem all simultaneously, not unlike the technique described in Figure

2.45. That diagram depicts the lifting of entire pin stacks, so as torelease themandcount thembyhearing them fall. In thiscase,you’rejustattemptingtofreetheplugfromtheintrusionofdriverpinsalone.You may not have to lift nearly as far. Figure 3.46 demonstrates themotion you’re going after. If you lift the right amount, as shown inFigure3.47,theplugshouldbecomefreeandabletoturnagain.Useatension tool or even just the pick that you have currently inserted torotateitbackintheproperdirection.

Figure3.46 Use the flat side of a half-diamond pick if the plug becomes trapped in an“upsidedown”position.

Figure3.47 Withthetool liftingthedriverpins, theyare freedfromtheplugand itcanagainrotatenormally.Flipitbacktotheproperposition.

SummaryThischapterdiscussedanoverviewofthebasictypesofequipmentthatare particularly helpful when starting out with a study of lockpickingandpresentedknowledgeontheprocessbywhichthisequipmentcanbeserviced and reconfigured. Getting either a good set of progressively-pinnedlocksoradrilled-and-tappedtraininglockwillallowforawiderangeoflearningexercises.With an adequate plan of action, such as the steps for learning

highlighted here, much of the initial difficulty that some peopleexperiencecanhopefullybeavoided.Anumberofextrachallengescanbehadwithtypical locks if theyarereconfiguredtotesta lockpicker’sdexterityandbreadthoftechniques.Inexpensive,pre-installedwaferlocksandtheirexceedinglysimplistic

designprovideadifferenttypeofchallengetolockpickers,buttheyarequite easy to attack once their construction is understood. Thisknowledgeofthemeansbywhichlockscanbeexploited,alongwiththeoverviewof a fewadditional tips and tricks at theendof the chapter,shouldhaveyouquitepreparedtotackleanynumberofsmallobstaclesthatyouencounterduringpenetrationtestsorevenjustcasualhobbyistpickingsessions.

Chapter4

AdvancedTraining—LearningSomeAdditionalSkills

ChapterOutline

Pick-ResistantPinsSpecializedPickingTechniquesSpecializedPickingToolsPracticeExercisesReal-WorldLocksWhichOfferGreaterChallengesSummary

Some manufacturers add features to their locks that are designed tomakethemmoreresistanttopickingattacks.Thedegreetowhichthesecompanies are successful in this effort depends largely on how muchmoney they are willing to spend on design, manufacturing, andassembly.Anumberofinterestingmodificationstothecomponentsofalockcanmakeit“pickresistant”,sometimessignificantlyso.Still,byandlarge the market for consumer grade lock products is driven by costmore than by form and function. Even locks that are described assomehow“moresecure”ontheirpackagingcanoftenbeovercomewithsomededicatedeffort.Allthatisneededispatience,andafundamentalunderstandingofwhatisactuallytakingplaceinsideofthedeviceatamechanicallevel.

Pick-ResistantPinsRecallfromChapter1thatmostconventionalpintumblerlocksfeaturekey pinswhich are either cylindrical or slightly tapered to a point on

their leading tip along with driver pins which are almost entirelycylindricalanduniforminsize(seeFigure4.1).

Figure4.1 Aconventionallock(thelikeofwhichwehavealreadyexaminedinthisbook)viewedfromafront-facingperspective.

Perhaps the simplest and most common means for making atraditional pin-tumbler lock more resistant to picking attempts is theinclusionofpickresistantpins(alsoknownas“securitypins”)whenthelock is being assembled. By changing themilled shape of some of thepinswithinalock(particularlythedriverpins)itispossibletofrustratethenormalmethodsofpinmovementassociatedwithlockpicking.Thisis a particularly popular option for companies with establishedproductionlinesandanumberofmodelsoflockalreadyonthemarket,as it does not require a major overhaul of their existing factorymachiningandequipmentassemblyprocesses.Alllargepartsofthelock(housing, plug, tail piece, mounting hardware) remain exactly thesame…it isonly slightlydifferentpins thatare inserted into some (orveryoccasionallyall)ofthechambers.

Pinswithlips

Themostpopular typeofpick-resistantpin isknownasa spoolpin, sonamedbecause ithas theappearanceofa spoolof threadorwire (seeFigure 4.2). These types of driver pins can be produced with relativeease by the same machines and processes which fabricate traditionalcylindrical driver pins. Another virtue of spool pins which appeals tomanycompanieswhoproducelocksistheirsymmetry…thereisnowayof accidentally installing a spool pin in a lock “upside down” anddiminishing its efficacy. Thus, any factories which incorporate large-scaleautomationcanmoreeasilyuse this typeof securitypinon theirproduction lines as opposed to some other types of pick-resistant pinswhichwewilldiscussshortly.

Figure4.2 Alockfeaturingapick-resistantspooldriverpin,asviewedfromafront-facingperspective.

InChapter 2 you learned about the process bywhich lockpicking isperformed.Itislikelythatyoucanalreadypredictthemannerinwhichadriverpinofthisdesigncanfrustratesuchattempts.Whentensionisapplied to the plug, if this particular pin stack happens to be the onewhichwillbearthebruntofthebindingforce,itwillnotsimplybecometrapped against the walls of the pin chamber by its vertical edges.

Instead,thespoolshapewillallowtheplugtorotatemuchfurtherthanexpected(asseeninFigure4.3).Ifliftingpressureisthenappliedtothebindingpinstack,itwillnoteasily“click”intopositionattheshearline.Instead,theparticularlysignificantangleofthespoolpinwillcauseitsprotruding lip to catch on the edge of the housing, potentiallypreventinganyadditionalmovement(seeFigure4.4).

Figure 4.3 With tension applied to the plug, a spool type driver pin will allow forsignificantlygreaterrotationthanaconventionalcylindricaldriverpinwould.

Figure4.4 Ifaspoolpinisbinding,thepinstackcanbepushedslightlytowardstheshearline,but itwillultimatelygetheldupwhentheedgeof thespoolcatches the lipof the lock’shousing.Itismuchhardertopushthepintotheproperpositionatthispoint.

Pick-resistantpinscomeinplentyofothervarietiesbeyondthesimplespool style. Another popular design is the mushroom driver pin (seeFigure4.5).

Figure4.5 Alockfeaturingapick-resistantmushroomdriverpin,asviewedfromafront-facingperspective.

Thisstyleofdriverpinwillhavealargersurfaceareauponwhichitsedge can contact (and thus drag along) the walls of a pin chamberduring the binding process. This will offer greater friction and thuspresentslightlymorechallengetoanindividualattemptingtopushuponthat particular binding pin stack. The reason this style of driver pinhasn’tseenquiteasmuchmarketpenetrationasthesimplespool(inmyopinion)likelyhaslesstodowiththeslightlymoreinvolvedprocessofmillingbutinsteadpertainstothefactthatamushroomdriverpincanonly be installed in one direction in order to be fully effective. Thus,certain fully automated assembly lines (which feed driver pins fromlarge supplybins)would likelybe incapableof reliably inserting thesepinsinthecorrectmanner.Thespoolandmushroomvarietiesofpick-resistantdriverpinarethemostpopularinageneralsense,buttheyarebynomeansthefullextent

ofsuchpinsinusetoday.Somemanufacturershavedevelopedtheirowncustom designs which are truly a sight to behold. For example, theTrioVing company (the leading vendor of locks in Norway) uses ahybridized “double mushroom spool pin” (this is simply my term) inevery single chamber of even their least expensive pin tumbler locks.Figure4.6showstheshapeoftheseuniquedriverpins.Thesepinsofferaratherparticularadvantagetothoseassemblingandconfiguringalock.Conventionalspoolpins,aswehaveseen,allowforsignificantrotationoftheplugevenwhenthepinstacksareallatrest.

Figure4.6 A lock containing a driver pin of the “doublemushroom spool” variety usedextensivelybytheTrioVingcompanyofNorway.

Imaginea simplepin tumbler lock inwhichall thedriverpinswereconventional spool pins.With no key in the lock, therewould still besignificant“wiggle”intheplug.Itcould,inessence,oscillatetotheleftorrightbytendegreesormore,similartowhatisrepresentedinFigure4.1.Not onlywould this allow someone inspecting the lock to almostinstantlyrealizetheinternalmakeupofthepinstacks,butitwouldalsopotentially complicate theuseof theproperkey.Attempts to insertorremovethebladeofakeyinthekeywayofalockwillonlybesuccessful

if the pins can traverse up and down with ease, allowing the bittingridgesofthebladetopassthestackssmoothly.Ifthepinscannotmoveupanddown,thekeywilljamandbeunabletomovefurtherin(orout,forthatmatter…thisiswhyakeycannotberemovedfromalockwhentheplugisturned,bytheway).The TrioVing design is unique because these driver pins can be

installed inallof thechamberswithoutcausing the lock toexperiencethis potentially problematic “wiggle” effect in its plug. These pins arealso monsters to pick without serious practice. I have taken TrioVinglocks and prepared progressive training sets in the past. I can onlyreliablyandroutinelypickopensucha lockwiththreepinstacks,andeventhenitbecomesquitedifficult.TraditionalTrioVinglockshavesixor seven pin stacks. They are quite formidable. (Althoughwe learnedtheycanbebumped!WewilldiscussthebumpkeyattackinChapter5.Ioffermyheartfelt thanks to John-Andre Bjørkhaug for discovering theperfectTrioVingbumpkeyandsharingitwithme!)

Pinswithserrations

Notallpick-resistantpinsrelyonlarge,protrudinglipsattheiredgesinorder to frustrate conventional lockpicking attempts. Some pins aremilledwithnumeroussmallcuts,knownasserrations,acrossmostoralloftheirsurface(seeFigure4.7).Suchserratedpinsnaturallyhaveamuchgreater degree of friction against the walls of the pin chambers andtherefore are harder to push into the necessary positions at the shearline. It isverycommonforsomeonetoover liftpinstacks that featureserratedpins.Sincetheseserrationscancauseanincreaseinpinfrictionnomatter where they are located, sometimes lock manufacturers willevenengineer theirkeypins in thismanner.The lineof products fromAmericanLockoftenfeatureserratedkeypins,forexample.

Figure4.7 A lock featuring a pick-resistant serrated driver pin, as viewed from a front-facingperspective.

Coordinatedpick-resistantcomponents

Somemanufacturerswhowish to significantlyhamper lockpickingwillgotoevergreaterlengthswhenitcomestomodifyingthepinsthanthedesigns we have just now examined. The noted Dutch locksmith andreveredsecurityresearcherHanFeywroteanarticle1showcasingsomeoftheincrediblepick-resistantfeaturesfoundintheproductsofSwedishlocksbyASSA.Handescribedingreatdetailwhathereferstoas“sneakypins”which jamandbind inavarietyofvery frustratingways.This isdue, inpart, to the fact that thepin chambersof theplug incorporatewhatisknownas“countermilling”neartheshearline.Theseextralipsprovideevenmorewaysforthepinstocatch,jam,andrefusetomoveunless a proper key is being used. See Figure 4.8 for greater detailconcerning just how “sneaky” some pins can be, and where countermillingappearsinsomelocks.

Figure4.8 Alockfeaturinghighlypick-resistantdriverpinsandkeypins,asviewedfromafront-facingperspective.Notethecountermillingthathasbeenperformedwithintheplugnearthe“top”ofthepinchambers,justnexttotheshearline.

SpecializedPickingTechniquesDespite their intimidating appearance, it is often possible to still pickopen locks that feature these sorts of specializedpins.While I’ll admitthatitisunlikelythattheASSAdesignshowninthelastexamplecouldbedefeatedregularlyandrepeatablybyanyoneotherthanahandfulofthe world’s top lockpickers, such pins are not nearly as common assimplespooldrivers.Withsomeunderstanding,patience,and—aboveall—practice…you,too,cantackleandovercomelocksthatfeaturetypicalpick-resistantpins.

Counter-rotation

Thecriticalaspectofpickinglocksthatfeaturespoolpins(aswellasthevarious pins of a related design, like mushroom drivers, multi-spooldrivers,andcombineddesignssuchastheTrioVingpins)hastodowithwhatlockpickersoftencallcounter-rotation.Inordertohelpapinstackmovebeyondthepointwherethesefeatureswouldnormally“trap”itonaliporedge,theplugmustbeallowedtorotateslightlyinthedirection

oppositethewayitisbeingpicked.ThediagramsinFigures4.9through4.13willhelptoexplainthisconceptfurther.

Figure4.9 Somepeoplewillplaceamarkerlineacrossthefrontfaceofalockwhenthey’relearningtotacklepick-resistantpins.ObservehowthetwosegmentsofthislinechangepositioninrelationtooneanotheracrossthediagramsinFigures4.9through4.13.

Figure4.10 Binding a spool pin is almost immediately noticeable. The plug will rotatesignificantlymorethanyou’reusedto.Noticethemarkerline’ssignificantoffset.

Figure4.11 Pushing this binding pin stack will not just move the pins, it will actuallybegintocausetheplugtorotatebackinacounterclockwisedirection,eversoslightly.

Figure4.12 Liftingpressure isbeingappliedtothepinstack.Thispressurecomingfromthe“bottom”ofthespoolpincausesit toshiftpositionslightlyand,byassociation,causestheplugtocounter-rotate.

Figure4.13 Canyouseethiscounter-rotationthattheplugismakingthroughthesepastthreediagrams?Iftheshiftshavebeentoosubtle,comparethisimagewithFigure4.10.Notethedifferenceinthepositionsofthemarkerlines.

When starting outwith the process of trying to attack (or even justtrying to learn more about) pick-resistant pins, some lockpickers willdrawamarker lineonthe front faceof their lock,across theplugandthe housing, so that they can more accurately visualize any smallrotationthattakesplace.Inthishypotheticalexample,wewilllookatalockfeaturingaspoolpin(seeFigure4.9).Whenpressure is applied to theplugand thispin stackbinds, there

will be very significant rotation visible. The two marks will likelybecome completely separated, and the plugmay turn as much as tendegrees(seeFigure4.10).Whenyouattempttoputpressureonabindingpinstackfeaturinga

spool pin, something unique will happen. As the pins move in theirchamber,itwillbegintoaffecttherotationthatwasinitiallyobservedinFigure 4.9 with respect to the plug. In Figure 4.11, the pin stack hasbeenpushed“upward”tothepointthatthelipofthespoolpinisnowcatching on the lock housing. However, examine the marker lines.Compare Figures 4.10 and 4.11… it’s very subtle, but there is a slightdifference.

This“counter-rotation”canbeobservedmoreplainlywhenadditionalliftingforceisappliedtothisbindingpinstack.Ifalockpickercansubtlyeaseofftheirpressureonthetensiontool,thentheattemptstomovethepinstackswillcausetheplugtocontinueitscounter-rotation.AsseeninFigures4.12and4.13,continuedattemptstopushthepinstackfurtherinto position will result in the plug continuing to move in acounterclockwisedirection.There is no special trick to picking locks that feature these sorts of

pins.Allthatisneededissignificantdisciplinewithrespecttousageofthe tension tool. Make certain that you’re applying the absolute leastamountoftensionpressurepossibleontheplug,andbegintheprocessof hunting for binding pin stacks and setting them. You will almostsurelycometorecognizewhenyou’vehitaspooledsurface,duetothealmost comically over-the-top “clunk” noise and significant rotation ofthe plug that can be observed. (Recall Figure 4.10 and the extremedegreetowhichtheplugwilltendtoturn…rotationofasmuchastendegreesormoreiscommonlyseen.)Whenthathappenstoyou,pressupslightlyharderonthatpinstack.

(Takecautionnot to allowyourself to apply any extrapressureon thetension tool at that time!) Does the plug seem to respond to thispressure? Do you observe any counter-rotation? Even if you have leftonepinstack,triedotherpins,andthencomebacktoit…thatcounter-rotation should still be slightly evident somewhere.Push thepin stackfurther,andhopefullyitwillclickintowhatfeelslikea“set”positionforthe second time. Now youmay have finally reached the proper shearline. (Or youmay have just hit a second spool lip, if you areworkingwith a particularly devilish lock.) Keep in mind, this counter-rotationmay “un-set” some other pin stacks that you have already picked. Gobackandhuntaroundfurthertoseeifthiswasthecase.

SpecializedPickingToolsThere are anumberof “specialized” lockpick toolswhich somepeopleclaimcanhelpyouagreatdeal,particularlyifyouarecontendingwithalockthatishardtopick.

Featherweighttensiontools

Attacking spoolpinsandother suchpick-resistanthardware isdelicatework.Applyingtoomuchtensioningpressuretotheplugwillcausethepins to become hopelessly jammed up at their edges and prevent anychanceofyouobserving thecriticalcounter-rotationwhich isessentialtotheprocess.To that end, a number of vendors who design and sell lockpicking

equipment offer tension tools that purport to be more useful thanconventionaltensionersduringthisprocess.Perhapsthemostpopularoftheseitemsisthe“feathertouch”or“featherweight”tensionershowninFigure 4.14. This tool is sold by a number of popular retailers oflocksmithsupplies.Idonotunderstanditsenduringpopularity,beyondthe fact that it may seem appealing to novice pickers. Indeed, I amforced to admit that I was taken in by the marketing hype of thisparticularproductandcouldbeheardrecommendingittoothersatonetime in the past. (It may have even made its way into some of thetrainingkitsIputtogetherforuseatconferences.)

Figure4.14 Aso-called“feathertouch”tensiontool.ThistoolhassuchlimitedpurposeandperformsitsfunctionwithsuchmediocritythatIcannotrecommendanyoneinvestinone.

Insteadof addinga featherweight tension tool to yourkit, considerperforming theexercises listed in theupcoming sectionusinga typicaltensiontool(eitherinthecenteroftheplugorattheedgeoftheplug)made of very stiff material. I know some people who have evenhardened the metal in some of their lockpick tools using temperingtechniques suchasheatingandquenching themetal. In theend,usingstifftoolsandbecomingveryintunewiththefeedbackthelockisgivingyou is likely to serve you far better than attempting to acquire toolswhich have great flexibility (and, thus, offer you greatly diminishedtactilefeedback).

Tip

Ifmylogichereisnotenoughtoconvinceyou,considerthefactthatmost“typical”tension

tools (madesimplyoutofbentmetal)costapproximatelyadollarapiece…even less ifyou

fashiononesyourselfoutoffoundmaterials.Streetsweeperbristlesandthemetalshaftsfound

insideofwindshieldwiperbladesare twopopular sources for suchbare stock.The“feather

touch”tensionerissoldfortendollars.Doyoureallyfeeltheneedtobuysomethingthatcosts

onethousandpercentofthepriceofatoolthatdoesthesamejobinabetterway?

Bogotájigglerrakes

Onestyleoftoolthathasbecomeverypopularwithagrowingsegmentoflockpickersinrecentyearsisastyleofrakingandjigglingtoolknownas a Bogotá. Created by a remarkable individual by the name ofRaimundo(thethreemountainssurroundingthecapitalcityofColombiawere the inspiration for this design), this family of tools has theappearanceofarakes(and,indeed,theycanbeusedassuch)butwouldbemoreproperlycalledjigglertools.IknowthatbackinChapter2wediscussed jigglers and I asserted that one key feature is that they canoftenactasbothapickingtoolandatensiontoolallinoneunit.Donot

consider that feature alone to be the key distinction of a jiggler,however.Whenatoolismostsuitedtobeusedinapunctuatedup-and-down motion or elliptical pattern (as seen in Figures 3.37 and 3.38,respectively),that,tome,iswhatdefinesitasajiggler.The Bogotá family of tools (the original design has since beenaugmented with related designs such as the Sabana and Monseratepicks)arecrafted in suchawayas tobeaconstant sizeand thicknessacross their entire working tip, which distributes loads and pressuresveryevenly regardlessofhowviolently the tools areworked ina lock(seeFigure4.15).Thehigh-polish,mirror-likefinishthatischaracteristicofthistypeoftoolalsoaidsinmovementofthepickwithinthekeywayasit isworkedinmultipledirectionsrapidly.Thereareindividualsoutthere, including people who I know and respect as lockpickers, whoclaim that Bogotá tools are some of the best ways of tackling pick-resistantlocks(andlockswithdifficulthigh/lowpinningcombinations)withoutsettingeverypinstack individually.Whileconventionalrakingcangethunguponthelipsofpick-resistantpins,jigglingismoreabouttrying to approximate a number of different bitting lines in rapidsuccession and therefore can result in some fortuitous good luck,particularlywithBogotápicks.

Figure4.15 Bogotálockpicksfrommypersonalkit.

PracticeExercisesSo, if one doesn’t own (or doesn’t want to rely exclusively on)specialized jiggler tools…what is the bestmethod of learning how totackle locksthat featurepick-resistantpins?Well,bynowitmaycomeas little surprise to readers that I am a devoted fan of taking aprogressiveapproachtothesesortsoflocks.

Spooledprogressivepracticelocks

Startingwithalockthatfeaturesjustasinglepinstack(whichincludesa spooled driver pin, as shown in Figure 4.16), try to observe thesignificant “wiggle” of theplug, and experimentwith applying tensionandpressingonthepinstack.Addamarkerlineliketheonereferencedin Figure 4.9 and try to observe the same movement shown in thesubsequentdiagrams.Ifyoucanfeelorseethe“counter-rotation”whichwas discussed earlier in this chapter, try moving on to additionalprogressive locks featuring spool pins. I would suggest the followingprogression:

•ProgressiveSpoolNumberOne—Asinglepinstackfeaturingaspooleddriverpin(seeFigure4.16).• Progressive Spool Number Two—A pair of pin stacks, only one ofwhichneedfeatureaspooleddriverpin(seeFigure4.17).•ProgressiveSpoolNumberThree—Threeworkingpinstacks,inwhichtwoofthedriversarespooled(seeFigure4.18).• Progressive Spool Number Four—This lock can have four functionalpinstacks,butI’dstaywithonlytwospooleddriverpinsatthistime(seeFigure4.19).• Progressive Spool Number Five—A lock featuring five working pinstackscanrepresenta“realworlddoor”rathereffectively,andifyou

stilljusthavetwospooleddriverpinsitwillbeadecentchallenge,butcapable of offering you an educational experience instead of simplyfrustration(seeFigure4.20).•ProgressiveSpoolNumberSix—Trythatsamefive-pinlockagain,butthis time allow three of the five pin stacks to be assembled withspooleddriverpins.Thiswillnowexceedmuchofwhatyouarelikelyto encounter on a day-to-day basis where typical “hardware store”locksareconcerned. Ifyoucanmaster this lock,you’re inverygoodshapewithyour“pick-resistantpin”skills(seeFigure4.21).

Figure4.16 ProgressiveSpoolNumberOne—Asinglepinstackfeaturingaspooleddriverpin.

Figure4.17 ProgressiveSpoolNumberTwo—Apairofpinstacks,onlyoneofwhichneedfeatureaspooleddriverpin.

Figure4.18 ProgressiveSpoolNumberThree—Threeworkingpinstacks,inwhichtwoofthedriversarespooled.

Figure4.19 ProgressiveSpoolNumberFour—Thislockcanhasfourfunctionalpinstacks,two of which feature spooled driver pins. These spooled pins have changed position incomparisontotheProgressiveSpoolNumberThreelock,tooffergreatervarietyandchallenge.

Figure4.20 ProgressiveSpoolNumberFive—Alockfeaturingfiveworkingpinstacks,twoofwhichincludespooleddriverpins.

Figure4.21 ProgressiveSpoolNumberSix—Alockfeaturingfiveworkingpinstacks,threeofwhichcontainspooleddriverpins.Thislockexceedsthedifficultylevelofnearlyallproductsyoucouldfindatalocalhardwarestore.

DonotexpectthisseriesofprogressivetrainingexercisestogoquiteasquicklyasthosewhichwereencouragedinChapter3.Rememberthatpatience and repeated practice iswhatwillmake all the difference. Ifyouhavesuccessfullyopened,say,theProgressiveSpoolNumberThreeacoupleoftimesbuthavehadnosuccesswiththeNumberFourlock,Iwouldsayitisactuallymorebeneficial(inmyview)tospendthirtyto

sixtyminutesopeningtheNumberThreelockrepeatedly.Trypickingitin both directions. Try picking it using various tension tools in bothcenter-of-plugandedge-of-plugpositions.Anhourspenthavingsuccessandbuildingupmusclememorycanoftenbefarmorehelpful thananhour(oreventwoorthreehours)ofunsuccessfulfrustration.

Tip

If you rebuild and customize your own locks in an effort to attempt greater and greater

challenges,knowthatrarelywilllocksintherealworldeverfeaturespooleddriverpinsinall

chambers.Usuallytherewillalwaysbeatleastoneplaincylindricaldriverpin.Thisisdoneto

keeptheplugstraightduringinsertionofthekey.Iftherewerenothingbutspoolpinsinevery

position, therewouldbepotential foragreatdegreeof “slop”and theplugcouldbeeasily

turnedsomewhat(accidentally,ofcourse)duringinsertionofthekey,whichwouldjustresult

inthekeybecomingstuckandalotofjigglingandwigglingonthepartoftheuser.

Ifyouwanttochallengeyourselfinexceptionalways,feelfreetopinalockusingnothing

butspools…butknowthatthisconfigurationmaynotberepresentativeoftherealworld.

Pick-resistantkeyways

One other feature that manufacturers will often introduce into their“basic” locks in order to make picking somewhat more difficult isadditionalwarding and angular cuts in theprofile of the keyway.Theprotrusionsofmetalthatonecanseewithinthekeyway(theyareknownaswards)havemultiplefunctions.AswasdiscussedbackinChapter1inthesectionwheretheplugofapintumblerlockwasfirstintroduced,thewarding of a keywaynot only serves as ameans of distinguishing theproperbrandofkeyandholdingit inthecorrectposition…italsocanfrustratetheprocessoflockpickingonoccasion.Themoreangularakeyway,themorelikelyit is thatpicktoolswill

encounter difficulty when attempts are made to move them up and

down. Additionally, if the keyway is particularly narrow and featuresnumerous curves, itwill be difficult to position a single, solid shaft ofmetal up at an angle (for instance, a lockpick being used with the“rocking”motiondescribedinChapter2).Figure4.22 shows a series of various popular keyways.As you look

from left to right, notice how they become both narrower and moreangled.

Figure4.22 Aseriesofincreasingly-difficultkeyways.

When a keyway’s profile contains angles and wards that are sosubstantialastonegateanysingle,straight,unobstructedlinedownthemiddle of the keyway, it is called paracentric. Observe the same fivekeywaysinFigure4.23andconsidertheadditionalguidinglinesdrawninasvisualaidstobetterunderstandthisdefinition.

Figure4.23 Aseriesofkeyways,therightmosttwoofwhichareparacentric.

InFigure4.23,thefirsttwokeywaysareclearlyratherwideandopen.Thethirdkeywayshownhascurvesthataremoresubstantial,but it isstillpossibletodrawastraightlinedownthemiddlewithoutcomingup

againstanyobstruction(althoughitdoescomeremarkablycloseattwopoints).Thefourthlockfeaturesaparacentrickeyway.Thereisnoangleatwhichastraightlinecanbedrawnfromthetopofthekeywaytothebottom without encountering wards of metal. The fifth lock isdramatically paracentric, and would offer significant hindrance toanyoneattemptingtomanipulateitwithpicktools.(Thislockdoesexist,bytheway…itisaGegelock,aproductlinethatisnowofferedbytheKaba AG company. The Kaba name is well-respected in the world oflocks and safes, and their products are well-engineered and generallyveryresistanttoattacksofallkinds.)

Note

Youmaynowbeaskingyourself,“Ifthoseadvanceddesignsarepossible,thenwhyaren’tall

locksmanufacturedwithsuchpick-resistantfeatures?”Theanswerpertainstocostandeaseof

use.ConsidertheGegelockshownatthefarrightinFigures4.22and4.23.Allofthosehard-

angled curves are introduced into the keyway by repeated passes with cutting jigs of

increasingsizeastheplugmaterialisforcedpneumaticallythroughfabricationmachines.All

ofthoseharshanglesmeanthatthekeywill fail toinsert if thereareanydeformitiesonits

surfaceorifexcessivewearandteardevelopsovertimeinthelock.Acustomerisnotlikelyto

approveofalockthatsuddenlystopsoperatingwithlittletonoexplanation,particularlyifit

costmorethanotheroptionstheysawonastoreshelf.

Now,IamnotsayingthattheGegelockislikelytobecomeunreliableduetoitsdesign.In

fact,I’dpitthisoranyKabaproductupagainstthegeneric“hardwarestore”brandswehave

hereinNorthAmericaanyday.WhatIamsaying,however,isthatifallofthese“common”

manufacturers were to start trying to produce highly paracentric locks of this nature they

wouldhaveahardtimecompeting(intermsofbothpriceandquality)withthefewdesigns

thatarealreadyonthemarket.Othermajorbrandsseenosubstantialpayoff toengineering

productsofthisnature.

Thereisalsotheconsiderationoftechnologicaldeterminism.Marketpenetrationisaforce

withconsiderablemomentum.Thesheerhugenumberoflocksthatarealreadyinusetoday

featuring typical KW-1 or SC-1 keyways (originally designed by the Kwikset and Schlage

companies,butwhichhaveeachlapsedintothepublicdomain)meansthatmostofthekeys

copied at hardware stores and locksmith shops are of that design. Customers buying new

productsoftenwanttoacquireonesthataresimilartowhattheyalreadyhave(perhapsthey

evenaskforthemtobekeyedlikeanexistinglockthattheyown),andthisperpetuatesthe

trendfurther.

Nomattertheparticularreasons,sufficeittosaythatyouarelikelytoencounterweaker,

easier-to-pick locks out in the realworld for a very long time. There are quite a few locks

availableatretailoutletswhichdoincorporatesomeofthesepick-resistantfeatures,ofcourse.

Identifyingthemandacquiringthemforpurposesofpracticeisthetopicofthelastsectionin

thischapter.

Real-WorldLocksWhichOfferGreaterChallengesSo,bynowyou’veperhapsmadeatleastonetriptoyourlocalhardwarestoreandhavebeenastonishedat the easewithwhichyouhavebeenable topickmostof theproductsyou foundon the shelves. (You tookthemhome first, right? Because it’s bad form to pick locks on a storeshelf.Youdon’townthem,afterall…andoneofthetwogoldenrulesis“Neverpicklocksyoudon’town.”)Ifyouareinterestedinfindinglocksat localretailoutletswhichcan

offeryouthechallengeofexperiencingpick-resistantpins,allowmetosuggestanumberofoptionstoyou.

Defiantbranddoorlocks

I’m not promoting them here simply because of their name. I likesuggesting this product line to peoplewho are learning about picking

because they strike a healthy balance between cost, quality, andsecurity. These are Home Depot’s “generic” companion to the name-brandKwiksetlocks(whichtheyalsostockandwhosekeysarethesameKW-1profile). I like these locks for beginner practice because theydonotcostanarmandalegtoacquire,buttheyaren’tmadesocheaplyasto result in malfunctions and jamming. Defiant locks almost alwaysfeature five pins stacks; the middle one invariably contains a spooleddriver pin. With the “double-sided deadbolt” entry pack (see Figure4.24)youcanobtainapairoftheselockcylinders,keyedalike.Theyareeasytoservice,soyoucanfieldstripthemandmakepairsofprogressivelocks representing difficultieswithin your range, and the pair of spoolpinsthatyouwillhaveacquiredinthispurchasewillallowyoutocreatethefirstfivelevelsofmysuggestedProgressiveSpoollocks.

Figure4.24 ADefiantbranddeadbolt.

MasterLockcolor-platedseriesandfusionseries

There are two styles of padlock lock offered by the Master companywhich can be deceptive in their level of difficulty. The small, plastic“Color-Plated”models in the130and140 family (seeFigure4.25) are

availableatmosthardwarestores,ofteninkeyed-alikemultipacks.Theplasticandmetal“Fusion”models(seeFigure4.26)aren’tseenasoften,buttheyarestillavailableatmanyretailstores.Bothoftheseproductstend tobe four-pin lockswithmediumdifficultybitting configurationsthat includeat leastonespooldriverpinsomewhere.TheColor-Platedline,inmyexperience,willfrequentlyhavetwospooldriverpins.Ievenobservedapseudo-serratedpininsideofoneonce.Withtheirsmallsize,light weight, and low cost, these locks often take novices by surprisewiththeirdifficulty.

Figure4.25 AMaster brand padlock in their “Colored Cover” line. These will typicallyfeatureone,ifnottwo,spooldriverpins.

Figure4.26 AMasterbrandpadlockintheir“Fusion”line.Thesewilltypicallyfeatureonespoolpinandaslightlysmallerkeyway,makingforaslightchallengebeyondapurely“basic”padlock.

AmericanLockpadlocks

The offerings from American Lock (see Figure 4.27) present a veryformidable challenge to anyone seeking to tackle pick-resistant pins.Whiletherangeofproductsfromthiscompanyvariesgreatlyintermsofresistant to brute force attacks (they have small, aluminum bodypadlocks for lockout/tagout purposes all the way up to heavy-dutyshacklelesspuckpadlocks),butalloftheirofferingstendtorelyontheexact same lockcylinder. (Indeed, theeasewithwhichmostAmericanLockproductscanejecttheircoreisagreatbenefittothosewhoarestilllearning. With the lock’s core ejected, you can easily field strip thecylinderandremovesomeofthepinstacks,ifneeded.)

Figure 4.27 Padlocks from American Lock. This company has a wide range of modelswhichoffervaryingdegreesofphysicalstrength,buttheinternallockcoresineveryoneoftheseproductsareequallyformidable.

Americanlocksalwaysfeatureserratedpins(usuallyitisthekeypinswhichare serrated in theseproducts) andoften include spooleddriverpins in at least one chamber. These are significant obstacles to mostlockpickersat first,butusewhatyou learnedabout fieldstrippingandre-keyinginthebeginningofChapter3toprunethemdowntoamorereasonablelevelonyourfirstattempt.You should be able to open three-pin American locks with relativeeaseifyou’repatient.Fromthere,withenoughtimeandpatience,fourpinsandeven fivepins shouldeventuallyyield toyour toolsandyourskills.

Warning

WhileIamabigfanofcertainaspectsoftheAmericanLockdesign,itshouldbeknownthat

olderversionsoftheirpadlocks(particularlythe700series,1100series,and5000series)had

aglaringweaknesswhichwouldallowforfast,simplebypassinginmostsituations.Thishas

beenaddressedintheshackleless2000series,andwasneveranissueonmanyoftheirU.S.

Governmentmodels,but it shouldbeunderstood ifyouareusing this lock forhighsecurity

purposes.WewilldiscussthisattackingreaterdetailinChapter5.

Advancedsecuritypincylinder

Perhapsmyfavorite lock,as faras learningaboutpick-resistantpins isconcerned,isonethatIfoundinNorway.ItcanbeseeninFigure4.28.Iunderstand that these euro-profile half cylinders are popular acrossmuch of Scandinavia, and fromwhat I have seen in the collections ofother friends and associates,my supposition is thatmany of them areclonesoftheexceptional700-seriesdesignbyASSAinSweden.

Figure4.28 The“AdvancedSecurityPinCylinder”thatIoccasionallyfindinScandinavia.

IwishIhadapropermakeandmodelnamefortheselocks,howeverIencounterthemsoldundervariousbannersinnumerousstores.ThebestversionofthislockthatIhaveeverencounteredwasmarketedunderthenameDejoandfeaturedamenacingseven-pinconfiguration.Inspiteofallthesechambers,thelockhadonlyonestandarddriverpin.Threeofthe drivers were typical spool pins, while the remaining three were

doublespoolpinssimilartothe“sneakypins”describedbyHanFeyandseeninthischapterinFigure4.8.There is no end to the degree of challenge that this one lock canpresent.My friends and I have never been able to successfully pick itwithmorethanfivepinstacksinstalled.Iwasabletobumpthelockinanumber of advanced configurations, but as far as picking thosemonstrousspoolpins…fourismyusuallimit.Ionlyachievedthefive-pinattemptonce.(And,aswesayinthelockpickingworld,onceisluck.Onlywhenyou’vepickeda lock twice does it truly count. Three timesmeansyoufinallywinthebeer/girl/braggingrights.)Ifthislockissuchamonster,whydoIgiveitsuchpraiseasatrainingaid? I love it because of the multitude of ways in which it can bereconfigured and re-pinned.Again, this is a process best handled by afriendorassociatewhoiswillingtohelpyoulearn.Havesomeonefieldstripthelockandassembleitinatwo-orthree-or(whenyou’rereadyforit)four-pinconfiguration.Allowthemtochooseatrandomwhichdriverpins they will use in which positions. You will never know what toexpect,given that the lockoftencomeswith suchawide rangeofpindesignsrightofftheshelf.

SummaryThis chapter has provided an overview of some of the basic styles ofpick-resistant designs that manufacturers will seek to introduce incertainproducts.These solutions formaking locks slightlymoresecurearepopularduetotheirlowrelativecostandthefactthatsupplierswillrarelyhavetoretooltheirwholefactoryorchangetheiroverallproductdesigntomakeuseofthem.Pick-resistantpinslikespooled,mushroomed,andserrateddriversarecommon inmedium grade products available on store shelves. Higher

quality locks take this type of engineering a step further,with fancierdesignsandsometimesadditionalmillinginsidethepinchamberswithintheplug.Attemptsatpickingtheselocksmayfailinitially,butwithdedicationandpatience,itshouldbepossibleforthoselearningaboutlockpickingto grasp the mechanics of what is happening within these locks andultimatelyovercomesuchobstacles.Whilecertainspecializedtoolsmayhelpinthisprocess,manyare(inmyview)awasteofmoney.Youarebest served creating progressively-pinned locks in order to gainexperiencewith how these pick-resistant pins behave.When you havebecome comfortable enough, there are a number of inexpensive andeasily-accessibleproductsonyourlocalstoreshelvesthatyoucanusetotryyournewskillsonreal-worldhardware.

1Fey,H.CutawayCylindersandTheirLockingTechnique(Part1)[documentontheInternet].

TheOpenOrganisationOfLockpickers(TOOOL);2005May[cited2010Apr6].Available

from:http://toool.nl/images/f/f9/Cutaway1.pdf.

Chapter5

Quick-EntryTricks—Shimming,Bumping,andBypassing

ChapterOutline

PadlockShimsSnappingandBumpingCombPicksAmericanLockBypassToolDoorBypassingSummary

Puristsintheworldoflockpickingconsidertheactofusingcovertentrytoolswithfinesseastheonly“proper”waytoopenalockwithoutusingakey.Whencompetitionsareheld(andtheyare,manytimesperyear,infact…it’squiteasighttobehold,seeingpeoplefeverishlyandrapidlyopening all sorts of high-security locks in record time), lifting picks,raking picks, and tension tools are just about the only items you seecontestantsusing.However, in the world of penetration testing, one is not limited

exclusivelytotheuseof“sportlegal”tools.Whateverworks,howeveritworks…that’sthenameofthegameduringaphysicalassessmentorredteambreach.Manytimes,it’sfarmoreefficientandagreatdealeasiertobypasslocksinsteadofpickingthem.Thetermbypassingdoesnotrefertotheactof,say,findingaparticulardoortobelockedandthengoingthrough a window instead. No, bypassing is the act of triggering therelease of a locking mechanism without manipulating the pins orcombinationmechanisminthetraditional“picking”sense.Bypassingis

often faster, easier, and—indeed—used with greater frequency in therealworldthanmostofthetechniquesdescribedinChapters3and4.WhileitmightnotwinyouatopprizeatLockConoranyoftheotherlockpicking championships around the world, knowledge of bypassingcanoftenmakethedifferencebetweengettingpastalockeddoorinfivesecondsasopposedtofiveminutes.

PadlockShimsTheuseofshimmaterialisacommonpracticeinthelocksmithingtrade.Thinsheetmetalcanslipintovariousthincrevicesonalockandbeusedto force pins to behave in a specific manner (this is used sometimesduringtheactof fieldstrippingalock)or itcanbeusedtotriggertherelease of a latch mechanism (in order to pop open a padlock withminimaleffort).Themost common type of shim that can be seen in a covert entrytoolkit is a butterfly shim. Designed to be inserted into the body of apadlock near the shackle, these products are easily ordered fromlocksmithsupplycatalogsandontheinternet.Insteadofacquiringtheseitemsthroughtraditionalchannels,however,oneofmyabsolutefavoritetricks is homemade production of these incredibly useful items. Usingscrap aluminum sheet metal from soda or beer cans it is possible tofabricateyourownpadlockshimsinlessthanaminute’stime.Thisisatechnique that has beenknown for some time, but over the years thistechniquehassomehowbecomeverymuchassociatedwithmyname.Tosettherecordstraight,Iammostassuredlynotthefirstpersonwhohaseverthoughttouseametalcantoattackalock.Isometimesacceptthe credit for popularizing this particular technique which will bedemonstratedinFigures5.2through5.19,andIhappentobelievethatmy“Mshape”shimpatternisoneoftheeasiesttoattempt,butthereare

plentyof otherpadlock shimmingprocedures thatworkverywell.Myassociates who are involved with Survival, Evasion, Resistance, andEscape(SERE)trainingarewell-versedinimprovisingtoolsfrombobbypinsandhairclips.Ihaveseentheirtechniquesworkjustaswellasthisone.Youmaydiscoveranentirelydifferenttechniquebysearchingtheinternet or just experimenting on your own. That is perfectly fine. Asalways,dowhateverworksbestforyou.

TheDeviantbeercanshim

Usingmetalfromabeercanismyfavoritemeansofquicklyshimmingopen weak padlocks. Metal from any beverage can often works, butthickercansareoftensuperior.Tallcansholdingsixteenouncesofliquidareoftenofamorerobustconstructionthansmallerones.Thiscanhelp.There is also the natural advantage of havingmore rawmaterialwithwhich toworkwhen startingoutwitha tall can (seeFigure5.1). It ispossible,withcarefulcutting,toturnacanofsixteenouncesintoapackofsixteenshims.Cansoftwelveouncesorlessyieldconsiderablyfewershims.

Figure5.1 Metal frombeerandcider cansmakes the finest improvised shims.The tallersixteenouncecanswillnaturallyyieldgreaternumbersoftheseusefultools,butbothsourcesareequallyeffective.Sodasandenergydrinksoftencome in smallercanswhichnotonlyproducefewershims,buttheyarealsooftenthinnerandweaker.Expectmixedresultsonstubbornlocksifyourmetalisn’trobust.

This guide will show you, step-by-step, how to fabricate your ownpadlockshimsfromaluminumcans.Youcanusethistextasareference,naturally, but if you need to fabricate these shims in the field, it ispossibletoworktotallyfrommemoryifyoucanrememberjustasingle,simplestartingdimension.

Thespecificstartingsize

Begin by cutting a rectangle of metal that measures two and a halfinches long and one inch wide (see Figure 5.2). For those of youaccustomedtotheMetricsystem,thatwouldbeclosetofivecentimetersbytwocentimeters.Ifyoustartwiththissizepieceofmetal,everythingelseyoudoshouldworkveryeasilyandsmoothly.

Figure5.2 Thebeststartingsizeforahomemadeshimisapieceofmetaltwoandahalfincheslongandoneinchwide.

Makingyourmark

With apiece ofmetal cut to the requisite starting size, the rest of theprocess is a series of simple estimates, all of which involve dividingsegments inhalf. It isentirelypossible todo this simplybyeye,but ifyouwishtouseafelttipmarkertoassistyou(thisisespeciallyhelpfulwhenstartingout),flipthemetalovertoexposetheblankside.Dividethemetalinhalfacrossbothdimensions.Figure5.3showsthisprocessperformedwithguidelinesdrawnusingafelt-tippedmarker.

Figure 5.3 Divide your piece of shim metal (either visually or manually with a magicmarker)inhalf,bothalongthelengthandwidth.

Withthatdone,nowdivideeachofthesehalvesinhalf…resultingina series of quartering lines running in both directions, as shown in

Figure5.4.

Figure5.4 Theshimmetalisnowdividedintofourthsacrossboththelengthandwidth.

With this grid shape applied to the metal, five key points are nowapparent. Three of them are locatedwhere the shorter linesmeet oneedge.Theothertwoareattheintersectionwheretwooftheshortlinescross the middle long line. These five points are identified clearly inFigure5.5.

Figure5.5 Thefivekeypointsthatwillhelpusinthenextstep.

Themagic“M”shape

Byconnectingthesefivepointswithacurvedline,itispossibletocreateashapethatismoreorlesslikeacapitalletter“M”onthemetal.Ifyouhave been using amarker to draw on the aluminumup to this point,continuetodosonow.Markacurvedletter“M”asshowninFigure5.6.

Figure5.6 The“letterM”thatwillservetoguideyournextcutintothealuminum.

Cut this “M” shape out of your piece of aluminum. I caution you,however, do not be tempted to make a series of four, independent,simplecuts.Thatmaybeaneasyway tocuta letter“M,”but it is farfrom thebesttechnique.Trytocutthis“M”outofthemetalusingonelong, curved cut. Itmay take some practice, but using a singular cut—particularlyonethathascurvesasopposedtosharppoints—willmaketheshimmuchmorerobust.Curveswillhelptoevenlydistributeloadsandstressesacrossthewholesegmentofmetal.Sharpangleswheretwodistinct,separatecutsmeetcanbepotentialpointsofweakness.Figure5.7showsapieceofhomemadeshimmetalinthe“M”patternwithnicecurvedcuts.

Figure5.7 Apieceofhomemadeshimmetalthathasbeencutintotheproper“M”shape.

Withthe“M”cutmade,allthatremainsistofoldandbendtheshimintothepropershape.

Aseriesofsimplefolds

Recallthe“longer”linesthatweredrawnonthispieceofmetalduringthe initialphaseof theprocess.Thesenowbecomeour foldingpoints.Startingwith the long line that is the farthest away from the “M” cutwhichwasmadeinthemetal,foldalongthatlinesothatthe“top”edgeofmetal(topbeingarelativetermwhichappliestotheshimasweareviewing it in thisexample)comesdownto themidline.SeeFigure 5.8foranexplicit representationofwhere this fold takesplace.The resultshouldlooklikethemetalseeninFigure5.9.

Figure5.8 Thefirstfoldtakesplacealongoneofthe“longer”lines,bringingthetopedgedowntomeetthemidlineofthisrectangle.

Figure5.9 Afterthefirstfold,yourhomemadeshimshouldlooklikethis.

Nowall that remains is todealwith finalizing the “wing”pieces on

eachside.Somepeoplewill justcutthemoff,butI feeltheyaremuchbetter left intact. Folding them around, as shown in Figures 5.10 and5.11,makesthefinishedproductmorerobust.

Figure5.10 Foldeachofthetwoendpiecesupwards.Somepeoplecallthisstageofshimfabrication the “moose” in that the upward-facing ends look like antlers framing an animal’shead.

Figure5.11 Foldingtheendpiecesonefurthertimearound.Theshimisnowalmostfullyformed.

Thelastthingthatremainstobedoneistoworktheshimmetalintoaproper, rounded shape.This canbeperformeddirectly on thepadlockyouwishtoopen,or—ifyouhaveapenorotherroundedobjecthandy—youcanroundtheshimthatway,asshowninFigure5.12.

Figure5.12 Usingaballpointpentogivetheshimaroundedshape.

Insertandtwist

You should now have a shim that very closely resembles the“professional” products you would normally be able to buy in alocksmithsupplycatalog(seeFigure5.13).Thistoolisnowreadytobeusedintheopeningofapadlock.

Figure5.13 Afully-formed,properly-shapedhomemadepadlockshim.

Insert the tip of the shim into the lock on the outside edge of theshackle.Itisnecessarytoknowwhichsidetheshacklelatcheswithinthe

lockbody.Thiscannaturallybeobservedifthelockisopen…whereverthereisanotchcutintotheshackle,thereisaretainingmechanism.InthisexamplewewillbedemonstratingwithaMasterCombinationDiallock (shown inFigure5.14)which retains the shackle onlyon the leftside (from the perspective of someone facing the operating dial of thelock).

Figure5.14 AMasterbrandcombinationdial lockisperhapstheeasiesttoattackwithapadlockshim.Irecommendpeopleattemptthistechniqueforthefirsttimeusingthispadlock.Inparticular, thealuminumversionof this lock(which isalmostalwayscolorized,not silver liketheoriginal steel combinationdial locks) isweakerand tends tohavewidercrevices. It is themost forgiving of novice errors and the best learning tool for thosewho are learning how toshim.

Insertyourshimintothelockandgetthetipseatedintoposition,asshown in Figure 5.15. It will not be possible to insert the shim toodeeply at this time, since the “wings” of the shimwill strike the lockbody,asseeninFigure5.16.

Figure5.15 Ashimthathasbeenproperlyseatedintoposition.

Figure5.16 Theshimcannotinsertfurtherintothelockatthistime,sincethewingpiecesarestrikingthelockbody.

Now the magic happens. Pinch the wings of the shim together astightlyasyoucan.Thiswillgivetheshimstrengthandrigidityduringthenextstep.Keepingatightholdonthewings,rotatetheshimaround(ineitherdirection)sothatthewingsnowfaceout,awayfromthelockbody.Whilerotatingtheshim,applydownwardpressuresothatthetip

sinks further inward. Ifyou’vedoneeverything right (andhadabitofgoodluck,perhaps)thingsshouldappearastheydoinFigure5.17.

Figure 5.17 A padlock that appears to have been properly shimmed. Notice how far“down”intothelocktheshimhassunk.Thatisagoodthing.

Ifyoubelievethatyouhaveinsertedtheshimfully,trytopullupontheshackle.Donotgripordisturbtheshimduringthisprocess…leaveit alone completely. Simply pull upon the shackle and the padlock’sbody.Moreoftenthannot,thelockwillpopcompletelyopenwithease(seeFigure5.18).

Figure5.18 Theendresultafterthesuccessfuluseofahomemadepadlockshim.

This process is usually not damaging to the lock. Occasionally, ifyou’re lucky, it won’t even result in much damage to your shim.However,itshouldbeunderstoodthatallpadlockshimsaredisposabletools.Evenproper,factory-madeunitswhichtendtobefabricatedoutofsteelwillnotlastforever.Homemadeshimscraftedfromaluminumhaveanevenshorterservicelife.Afteroneortwoattempts,itisnormaltoseedeformations and cracks forming near the tip (see Figure 5.19). Mostaluminumshimswillnotlastbeyondahalf-dozenuses;manycrumbleortearafterjustoneortwoattempts.

Figure5.19 Afterjustoneattempt,thisshimisalreadyshowingsignsofwear.Iwouldnotexpectittosurvivebeyondafewmoreuses.

Doubleshimming

Thepadlockshowninthisfirstexample(inFigures5.14through5.18)only retained the shackle bymeans of a latch on a single side.Manypadlocks, especially those which operate with keys, have retainingnotches(and,thus,internallatches)onbothsides.Whenalockisopen,itispossibletoobservetheshackleandseeifitisasingle-sidedordual-sidedmechanism(seeFigure5.20).

Figure5.20 Padlockswithtwodifferent latchingdesigns.Thepadlockonthe left latchesononlyonesideoftheshackle.Thepadlockontherightlatchesonbothsides.

It is often still possible to use a shimming attack against a padlockwhich latches on both sides of the shackle. Two shims are needed, ofcourse.Theydonothavetobeoperatedsimultaneously(atexactlythesamemoment), however. A shim can be applied on one side, twisteddown into position, and then a second shim can be applied momentslater.Theorderinwhichthisisdonerarelymatters.

Tip

Interestingly,homemade shims fabricated from thinmetals likebeverage canaluminumare

oftenthebesttoolforthejobondual-latchingpadlocks.Factory-mademetalshimsareoften

muchthicker,whichcanresultindifficultyduringinsertionandtwisting.Somelockssimply

don’thaveenough“wiggleroom”inbetweentheshackleandthelockbodytoaccommodate

twothicksteelshims.Thethinaluminumshimsoftenfitintothesesortsofcreviceswithease,

however.

Unshimmablepadlocks

Notallpadlockscanbeattackedwithshims.Infact,inmyview,alockisn’ta“proper”padlock,worthyofyourmoneyataretailoutlet,ifisnotprotected against shimming.Themost commonmethodof designing apadlock such that it cannot be shimmed is with the use of a “doubleball”mechanism.ThelockshowninFigure5.21hassuchamechanism;eventhoughitisaverysmall,verycheappadlockitisstillresistanttothisattack.

Figure5.21 Thispadlockfeaturesa“doubleball”mechanism,whichisdescribed(andevendiagramed)prominentlyonthepackaging.

Doubleballmechanismsrelyonacentralcontrolcam(attachedtothetailsideof theplug)thateitherallowsorblocksthemovementof twosolid ball bearings. If that cam is not turned, the ball bearings cannotmove.A shim is not going to be able to apply any sort ofmeaningfulpressurewithinthelockandbypassthepins,leadingtoaquickandeasyrelease.

If you are purchasing supplies from a proper locksmith, you canalwaysjustinquiredirectlyastowhetherornotaparticularpadlockisprotected against shimming. If you do not have an expertwithwhomyoucanspeak, it isoftenpossibleto lookat thenotchcutsona lock’sshackleinordertodeterminewhatmechanismisholdingitshut.Asseenin Figure 5.22, there are various styles of notches that are cut intopadlockshackles.Notchesthatfeatureany“straight”linesareoftenusedtoengageweak,spring-loadedlatches.Notchesthatareentirelycurved-shapedareusuallyasignthatadoubleballmechanism(orsomeotherunshimmableretainingpiece)isusedinthelock.

Figure5.22 Notches on the shackles of three different padlocks. The first two are fromlocks that can be attacked with a shim, as evinced by the straight edges that appear in thenotches.Thethirdshackle,onthefarright,hasanotchwhichisentirelycurved.Thisisalmostalwaysasignofaproper,doubleballmechanism.

Pleaseknow, thesizeofa lockrarelycorrelates tohoweffectively itcan resist shimming. Some of the largest locks on the market (oftenmarketedundertermslike“commercialgrade”orotherrobust-soundingnames)aredesignedtoresistbruteforceattacks(aswithacrowbaror

boltcutters)butarewhollyunprotectedagainst shimming.Conversely,someverysmallpadlocks(liketheArgentineanlockinFigure5.21)areunshimmable.LookatthetwolocksinFigure5.23.Bothoftheselocksare completely resistant to shimming and have the same internalconstruction,despiteappearingquitedifferent.

Figure5.23 TwodifferentmodelsoflockbytheFinnishcompanyAbloy.Despiteappearingquite distinct, these locks have almost identical internal construction and each one uses anunshimmabledoubleballmechanism.Notethecurvedshapeofthenotchesonbothsidesofeachshackle.

Muchmore information concerning padlock shimming can be foundontheinternet,especiallyifyousearchGoogleorYouTube.Indeed,myown instructional video regarding shimming (which covers all of thismaterial and more) can be found here…http://www.youtube.com/watch?v=U8Cj47hFtx4.

SnappingandBumping

Lockbypassingisn’tjustatechniquethatcanbeusedonpadlocks.Theintricate pin tumbler mechanisms in many door locks can also bebypassedentirely, oftenwithhighly simplistic tools.The techniquesofsnappingandbumpinghavebeenknowntolocksmithsforyearsandrelyonverysimplelawsofphysicstoquicklyspringalockopen.

Snapguns

Occasionally featured on TV programs about crime or espionage (andoften found listed in thebackpagesof spypublicationsandsoldier-of-fortune catalogs) are tools known as pick guns, also known as “snapguns”or“locksnappingguns”.Thesetoolsfeaturealongtriggerhandlewhich,whenpulled,will retractand thenquickly releaseaneedle-likearm. This arm is designed to be inserted into the keyway of a pintumblerlockandheldsuchthatitwillsmackintotheexposedsurfacesofthekeypinswhenthe“snap”takesplace,asshowninFigure5.24.

Figure5.24 Apickgunorsnapgunisdesignedtobeheldsuchthatthelongneedle-likearmfliestowardthepinstacks,contactingthekeypins.

Inanidealworld,theresultingstrikeagainstthepinstackswilltakeplace simultaneously across all key pins in the same instant andwithrelativelythesameforce,asdepictedinFigure5.25.Newtonianlawsofmotiontellusthat,likeballsonabilliardtable(suchastheonesseeninFigure 5.26), energy should transfer through the key pins (see Figure5.27) and result in movement of the driver pins. If you’re lucky, thedriverpinswillfly“upward”(seeFigure5.28),allowingyoutoturntheplugifyoutimeeverythingperfectly.

Figure5.25 Whenusingapickgun,oneattemptstomaketheneedlearmcontactallofthetipsof thekeypinssimultaneously.This isoftenverydifficult.Notonlymust thepickgunbeheldperfectlylevel,buttherehastobeenoughroomwithinthekeywayforthearmtotravel.Thisislessandlesscommononmodern,well-engineeredkeyways.

Figure5.26 Lock snapping (and bumping, for that matter) relies on basic principles ofNewtonianphysics,whichcanbeillustratedviathetransferofenergybetweenballsonabilliardtable.

Figure5.27 Ideally, energy that isdelivered to thekeypinswill transfer through to thedriverpins.

Figure5.28 If all goeswell, thedriver pinswill fly out of their default positions for aninstant,allowingthelock’splugtoturn.

Bumpkeys

AsmentionedinthedescriptionofFigure5.25,thoseattemptingtousepick guns will often experience difficulty if the needle arm doesn’tcontact all of the key pins at exactly the same moment and deliveradequate force. It is quite possible, however, to replicate this samephysicalforceusingadevicethatismuchsmaller,morereliable,and(inmyopinion)easiertooperate.Iamspeakingaboutabumpkey.

Whatmakesakeyabumpkey?

Abumpkey,initsmostbasicform,isnothingmorethanakeywhichisdesigned for the keyway profile of a specific lock andwhich has hadeachofitsbittingpositions(seeFigure5.29)cutdowntoaparticularlydeeplevel(seeFigure5.30).Occasionally,thistypeofcuttingcanresultinaparticularlylargeriseofmetaloutnearthetipofthekeyblade(alsovisibleinFigure5.30).Ifthiseverhappens,itisoftenadvisabletomakean additional bitting cut (at an equally deep level) in one further

position (as shown inFigure5.31). If youhaveaccess toa locksmith’scode-cuttingmachine, this typeofkey fabrication isoftenachievedbyprogramming the cuts at the deepest manufacturer-defined depth ineveryposition.(Becausethisisveryoftenadepthvalueof9,bumpkeysaresometimescalled“999”keys.)

Figure5.29 Thebittingpositionsonanormalkeyareallevenly-spacedalongtheblade.

Figure5.30 Onabumpkeythosesamebittingpositions(asseeninFigure5.29)areused,but the cuts are made to a much deeper level. Typically, each position is cut to its factory-deepestsetting,usuallyadepthof9onacode-cuttingmachine.

Figure5.31 Toeliminatethelarge“hump”ofmetalwhichissometimeseenonthetipofabumpkey(oneisvisibleinFigure5.30),anadditionalbittingpositioncanbecut intothekeybladeoutnearthetip.

ThekeysshowninFigures5.30and5.31areofatypetypicallycalled“pull”bumpkeys.The“pullandbump”techniquewithwhichtheyareused is depicted in Figures 5.34 through 5.36. Some people, however,choosetomodifytheirbumpkeysevenfurther.Byremovingadditionalmetal around the shoulder and tip of the key (see Figure 5.32), it ispossible to make a “push” bump key. Taking off approximately .03inches(justshyof1mm)ofmetalfromtheshoulderandtipwillresultinakeyliketheoneseeninFigure5.33.Thistypeofkeycanbeusedtoperforma“pushbump”technique.

Figure5.32 Additionalmetal is removedat thesepointsona“pull”bumpkey to turn itintoa“push”bumpkey.

Figure5.33 A“push” stylebumpkey.Alsoknownasa“negative shoulder”or “minimalmovement”bumpkey.

The“pull”bumpmethod

Thetwomethodsbywhichbumpingcanbeperformedarerelated,butvaryenough that separatediagramswillbeused todemonstrate them.Thefirsttechniquewewillexamineisthe“pull”method.Thisiswidelybelieved to be the “original” style of bumping that was popular withlocksmiths fordecades, longbefore theamateur lockpickingworldandthe hacker community (and, through them, the public) gainedwidespreadknowledgeofbumping.Even though ithasbeencutdownconsiderably,abumpkey’sblade

(particularlytheprotrudingpoints)willstillmakecontactwithallofthekeypins ina lockas it is inserted into thekeyway.Witheachpassingstackthereisanoticeable“click”thatcanbefeltandheard.Toperforma“pull”bump,thekeyisinsertedallthewayintothelock,thenpulledout by “one click” (see Figure 5.34). It is then struck directly andsquarely on its head, driving it into the lock.As it travels inward, thesmall ridgepointswill smashacross thekeypins,deliveringa forceful

blow to them (see Figure 5.35). Since the pins are being held inchambers and thus cannot travel laterally, the only direction inwhichthisforcecantravelis“upward”towardsthedriverpins.Thedriverpinswillthenreceiveallofthisenergyandflyupward,leavingtheplugfreetorotateforasplitsecond(seeFigure5.36).

Figure5.34 Abumpkeyinpositionfora“pullandbump”attempt.Ithasbeenpulledoutby“oneclick”andisreadytobestruck.

Figure5.35 As thestrikecomes, thebumpkeymoves into the lock,smashingacross thekeypinsasitdoesso.

Figure5.36 Thislookstobeasuccessfulbumpattempt,withthedriverpinsmovingoutoftheirdefaultpositions,hopefullyallowingtheplugtorotateifeverythingistimedjustright.

The“push”bumpmethod

AdifferenttypeofbumpingattackispossibleifoneisusingakeyofthetypeshowninFigure5.33.Knownasa“push”technique,itisperformedwiththebumpkeyfullyinsertedintothelock(seeFigure5.37).Thekeyis not, in other words, “pulled out by one click” at the start of theprocedure.Theremovalofextrametalneartheshoulder(andtip)ofthekeywillallowittoover-insertintothelock.Thissmallamountofextrawiggleroomisoftenenoughtoallowthesmallridgesofthebumpkeytocontactthekeypinsanddeliveradequatebumpingforce.

Figure5.37 A“push”stylebumpkeyinposition.

Aswiththe“pull”method,asolidblowisdelivereddirectlyupontherearmost protruding part of the key’s head, knocking the key inward.Theridgeswillcontactthekeypins(seeFigure5.38)andtheresultantforcewilllikelybetransferreduptothedriverpins,thuscausingthemtojumpoutofposition(Figure5.39)sothattheplugcanbeturned.

Figure5.38 A“push”stylebumphitbeingdelivered.

Figure5.39 Withtheenergytransferredtothedriverpins,theyshouldhopefullyalljump

outofpositionandleavetheplugfreetoturn.

Afewtipsabouttechnique

Bumpingmayappear tobequite abrutal tactic (and, indeed, it isnotverygoodforthelock…itgenerallyleavesclearvisualindicationsafteroneor twoattempts and can seriouslydegrade the lock’s functionalityovertime),butitisalsoonewheresomedegreeoffinesseisnecessary.Thereisn’tmuchthoughtthatgoesintodeliveringtheblowuponthebumpkey (theadvice Ialwaysgive topeople is, simply, try tohit thekey hard enough that it will hurt if you miss) but your timing whenattempting to turn the plug is critical. Somepeople advocate applyingslight turning pressure to the key before youmake your strike.Whilethishasbeenknowntoworksometimeswiththe“pull”method,Idonotrecommend it personally. After all, any such turning force is likely tocauseatleastoneofthepinstackstobind,andthatmeansthatatleastonedriverpinwon’tbeeasilyabletoflyupwardandoutoftheplug.Iadvisepeople tokeep their fingers inposition,near thebumpkey,buttonotapplyanyturningpressureuntiltheexactmomentthatthehithaslanded.Ibelievethisgivesyouthebestchanceofsuccess.Intruth,it’sallamatterof timing. Ihaveseengreat frustrationon the facesofmanypeoplewhoareattemptingtobumpalock…then,whenitworksfor themone time, they suddenlycannot figureoutwhatwas sohard,andtheyrepeattheprocesswithsuccessfromthatpointon.Having the right tool for striking the key makes some difference.Plentyof improvisedbumphammers exist (Ihave seeneverything frombutter knives to screwdrivers to other locks used successfully inbumping),butsomeofthebesttoolsareoftenpurpose-built.Sadly,theonebumphammerwhichisthemostcommercially-available(developedand sold by Peterson Tools) is, inmymind, themost difficult to use.

Othertools,likethelegendaryTomahawkhammerandKEmarkIIBumpHammer,havebeenmadeinlimitedquantitiesbytheleadershipofTheOpen Organisation Of Lockpickers in the Netherlands and the UnitedStates,respectively,butaren’tinwidespreaddistribution.Regardingwhichtechniqueismoreeffective…aswithmostaspectsoflockpicking, that varies for each individual. If I had to generalize, Iwouldsaythatthe“pull”methodmightbealittlebiteasiertoperform,butitisslowerifyouwishtomakerepeatedattempts.Becausethekeyhastobemanuallypulled“out”byonenotcheachtime,anunsuccessfulbumpmustbefollowedbyapausewhileoneresetsthekey,thentakesapositionnearbywith fingertips,and triesagain.The“push”bumpkey,ontheotherhand,willnaturally“reset”itselfaftereverystrike,allowingforrepeatedattempts,oneaftertheother. Iwillcautionyou,however,thatifthelockhasn’topenedafterahalf-dozenblowsorso,itisusuallybest to remove the key (and possibly inspect it to see if there is anynoticeabledamageordeformity),thenreinsertitandstartagain.Nomatterwhattechniqueisused,overtimethistypeofattacktendstodegrade the lock’s internalsaswellas its front face. Itwillbequiteobvioustoevencasualobserversifalockhasbeenbumpedrepeatedly.

Bump-resistantandbump-prooflocks

The vast majority of pin tumbler locks in use today are able to bebumped.A What then, you might be wondering, makes some locksimmune (or at least resistant) to this problem?There are twoways ofmitigating the threat of bumpkey attacks.One is very expensive (andimpractical formostmanufacturers); the other ismore achievable butnotseeingmajormarketpenetrationatthetimeofthispublication’sfirstedition.Certainhigh-security locksareoutright immune tobumpingbecause

their mechanisms either do not operate with pin tumblers or becausetheir pin stacks are augmented by additional components that whollyeliminate the risk of bumping.A brief overview of high security locksthat simply cannot be bumped under any circumstances would be asfollows:

•RotatingdisklockssuchasthoseofferedbyAbloyandAbus• Locks that feature “sliders” such as the Evva 3KS and the latestgenerationofMul-T-Lockproducts(theirMT5series)•Magnetic key systems like the EVVAMCS and many products fromMiwa

This is, of course, by nomeans an exhaustive list. It should also beunderstood thatmostof the lockson this list retail for close to (ifnotmore than) 100 USD. Interestingly, some locks which I would notconsider high security for other reasons are, in fact, almost entirelyimmunetobumpingattacks.Waferlocksandthe“SmartSeries”linebyKwikset are two such examples. I would not trust them to protectseriouslysensitiveareas,butyoucanrestassuredthatnoonewillbumpthese open. How, then, is bump protection achievable in typical,everydaysituationswhereonealsodesiresresistancetocovertentry?The answer lies in the ways that some manufacturers are retoolingtheirprocesses inorder toproducebasic,cheappin tumbler locks thatcan withstand bump key attacks. Much as we saw in Chapter 3, it isoften possible to change the pins in a lock without dramaticallyreengineering therestof the lock’smachiningprocessand indoingso,changehowthelockperformsagainstpotentialattacks.InChapter 3 we saw how spool pins, serrated pins, and other suchpins can frustrate picking attacks.Well, somemanufacturers today areexperimentingwithbump-resistantpinsinthesamefashion.Twoofthe

mostsuccessfuldesignstodatehavebeenpinsdesignedbyMasterLockandIlco.

MasterLock’sbumpstoptechnology

TheMasterLockcompanyhasdoneextensive studiesof thephysicsofbumpinganddevisedanewwayofpinningtheirlockcylindersthatcanoften eliminate a great deal of the risk that this attack poses. Bychangingtheshapeofoneoftheirdriverpinsandnotallowingittodropintotheplugcompletely(asseeninFigure5.40)itispossibletomakeabumpingattempthighlyimpractical.Withasubstantialgapbetweenthekeypinandthedriverpin,energycannottransferandthedriverpin(atleastinonechamber)willnotmove.

Figure5.40 Alockthatincludesoneanti-bumppinoftheMasterLockBumpStopdesign.The driver pin in chamber five does not contact the key pin and thus cannot easily accept atransferofenergyduringabumpattempt.

One aspect of the Master Lock design that makes it not 100%adoptableisthefactthatthisdifferently-shapeddriverpinhasaslightlylargerdiameterthantheothersinthelock.Thatnecessitatesawiderpinchamberinthehousingandpreventssuchapinfrombeinginstalledin

anaftermarketfashion.

TheIlcoanti-bumppin

The Ilcocompany isnotusually recognizedasamanufacturerof locks(although they do offer a line of replacement lock cylinders) but isinstead famous for being a major supplier of lock components andlocksmithing supplies. Recently, they beganmarketing a series of pinsand springs that they have designated as their “Bump Halt” solution.Insteadofattemptingtopreventadriverpinfromdroppingcompletelyintotheplug(asMasterLockdoes),Ilcoofferslocksmithstheabilitytousepinsofwidelyvaryingmass(alongwithhigh-strengthsprings)whichcandramaticallyinterferewiththephysicsofbumping.ByinstallinganIlcoanti-bumpdriverpin(andaccompanyinghigh-strengthspring)intoone or two chambers (see Figure 5.41), one can drastically shift themannerinwhichpinsbehaveduringabumpattempt.

Figure5.41 An Ilco Bump Halt pin and high pressure spring has been installed in thesecondchamberofthislock.

BecauseoftheIlcopin’sgreatlyreducedmassandthehigher-strength

springthatsitsontopofit(and,indeed,surroundsit)thispinwillnottravel up and down at the same speed as the other pins in the lockduringabumpattempt.ItisstillpossibletogetaBumpHaltpintojumpslightlyduringbumping,butitislikelytohavereachedthecrestofitsleapandalreadybereturningdownwardtowardthekeypinbeforetheother“standard”driverpinshaveleaptupoutoftheplug.MyassociatesandIhavetriedinstallingIlcoBumpHaltpinsintolocksandthenbumpingthem.Iwasabletosuccessfullybumpalockwithasingle Ilco driver pin just once (and, as we say in lockpicking…somethingmustberepeatableatleasttwiceorelseitdoesn’tcount),andoncewestartedtryinglockswithtwosuchdriverpinsnoonewasabletobumpthelocksatall.This is, inmy view, a splendid low-cost solution to the problem ofbumping. It does not eliminate the physical risk, mind you… it justmakes bumping attempts incredibly unlikely to succeed. An additionalbenefitofthisBumpHaltstyleofpinisthatnomodificationtothelock’splug,housing,orkeyisneeded.Itcanberetrofitintojustaboutanypintumblerlockwithease.

CombPicksLikebumpkeys,combpicks(asetofwhichcanbeseeninFigure5.42)areanotherveryoldtypeofattacktoolthathadfallenoutoffashionforatime,butwhicharenowreceivingattentionagain.Thisisduetothefact thatmostmanufacturers had eliminated the risk of theover liftingattack (which iswhat combpicksdo) some timeago.However, like avirus that hasn’t surfaced for an outbreak in years, over lifting hasstartedtoappearagain…duetothefactthat(tocontinueourinfectiousdiseaseanalogy)the“immunesystems”ofsomelockmanufacturershavedegradedovertimeduetolackofuse.

Figure5.42 Asetofcombpicks.

Overlifting

Most pin tumbler locks aremanufacturedwith rather limited room inthe plug chambers. There is enough space for the pins and springs, ofcourse,andsomeroomforthestacktotraverseupanddowninordertooperate…butbeyondthatthereislittleelse.Indeed,thisis—inaway—oneof thesecurity featuresof such locks.Pinstacks,whether theyarevery tall (see Figure 5.43) or very short (see Figure 5.44), cannot bepushedentirelyupintothehousingofthelock.

Figure5.43 Attemptstoliftthesecondpinstackofthislockbeyondthefunctionalheightareultimatelystoppedbythetopofthepinchamber.

Figure5.44 Attemptstoliftthefourthpinstackofthislockbeyondthefunctionalheightareultimatelystoppedbythetopofthepinchamber.Eventhoughthekeypinismuchsmallerthanthepininthesecondposition(whichwasseenraisedinFigure5.43),itstillcannotleavetheplug…thereisn’tenoughroominthepinchamberwithinthehousing.

Of course, that is how locks are supposed to work… but that’s notalways how they are designed and manufactured. Sometimes, due topoorplanningorfabricationshortcuts,locksareproducedwithexcessivespace in the housing and, thus, extra-long pin chambers (see Figure5.45).

Figure5.45 Apoorly-produced lockwhichfeatures toomuchspace intheportionof thepinchamberthatrunsthroughthehousing.

Alocksuchasthisissusceptibletoanoverliftingattack.Byraisingallof the pin stacks beyond their normal operating heights it can bepossibletorotatetheplugfreelywithoutactually“picking”thepins.

Usingcombpicks

Combpicksareinsertedintothekeywayofalock,moveddeepenoughthat they can contact all of the key pins simultaneously (see Figure5.46),andthenliftedverticallyinordertopushtheentirelengthofeachpinstackcompletelyoutoftheplug,asshowninFigure5.47.

Figure5.46 Acombpickinsertedintotheplugofavulnerablepintumblerlock.

Figure 5.47 A comb pick that has successfully lifted all of the pin stacks up into thehousing.Theplug could freely rotatenow. (A tension tool couldbe employed to assist in theturningmotion.)

Comb picks come in large kits due to the varied pin spacing anddifferentnumberofpin stacks (not tomentiondifferingdegreesof liftnecessary)inlockstoday.Fortunately,themajorityofname-brandlockstendtonotbevulnerabletothisattack,butwithincreasingmarketplace

competitiondrivingpricesever-downward,somesuppliers (particularlyno-namevendorswhomanufacturetheirpartsinthedevelopingworld)donotconsidertheriskofoverliftingwhenproducingtheirlocks.

AmericanLockBypassToolOne of the craftiest bypass products I have ever seen is developed byPetersonToolsandisusedtoattacksomeofthemostpopularofferingsbytheAmericanLockcompany.Itisalsoeffectiveagainstsomeofthisbrand’scompetingproducts.Foratime,AmericanLockhaddevelopedafix that would frustrate (although not totally prevent) this attack.However, American Lock is now wholly-owned by Master Lock. Thelatter company has now started producing Master-branded productswhichdirectlycompetewithAmericanLockgoods(whicharealsostillproduced and sold under their original name). Despite appearingvirtuallyidenticalonstoreshelves(seeFigure5.48)therearesignificantdifferencesbetweentheselocks.Themethodologybehindthe“AmericanLockBypassTool”canpotentiallyworkagainstbothofthesebrands.

Figure5.48 Competing products fromMaster Lock and American Lock (which are nowowned by the same company) in the “square body padlock” line. Despite looking similar andhavingvirtuallyidenticalpricetags,theinternalcomponentsarestrikinglydifferent.

TheuniquebypasstoolofferedbythePetersoncompanylooksatfirstglancelikeitcouldbeaconventionallockpick(seeFigure5.49),butitisin fact something quite different. It is not a hook pick, and it is notinserted into the keyway facing toward the pin stacks. It is insertedfacingaway fromthem,and it ispushedall theway through theentireplug and out the tail side. As you can see in Figure 5.50, the shacklereleasemechanismintheselocksisacontrolcam(theselocksuseahighqualitydoubleballmechanism)that featuresaquarter-circle typeedgeononeside.Thatquartercircleinterfaceswiththetailsideoftheplug.Thisbypasstoolcanreachbeyondtheplug(becausethislock,likemostothers if you recall from Chapter 1, has the keyway milled entirelythroughtheplug)andapplypressuretothecontrolcamdirectly.

Figure5.49 An“AmericanLockBypassTool”fromPetersonTools.Contrarytohowitmayappearinthisphoto,itisnotaconventionalhookpick.

Figure5.50 Abypasstoolreachingthroughthepluginordertocontactthecontrolcam.(This is a disassembled lock, of course. During actual operation, the cam would be presseddirectlyupagainstthetailpieceoftheplug.)

What is ironic about the American Lock/Master Lock pairing is thefactthatwhilethesetwoproductlinesappearsimilar(indeed,theybothfeaturethisstyleoflockcoreandcontrolcamwhichcanbeexploitedbythis style of attack), there are actually many distinctions internallybetweenthetwoproducts.American Lock was aware of the bypass problem in the past. They

began engineering their newer models in ways that could not beexploitedB and retro-fitting existing locks with something known as a“blockingwafer”thatwouldpreventtheuseofthebypasstool.Now,thefolksatPetersoneventuallydevisedacompanionproduct (knownasa“waferbreaker”)thatwoulddefeatthisupgrade,aswell…butitbecamemuchhardertoperformthebypass.AllmodernAmericanLockproductsonstoreshelves today shouldhavethis“blockingwafer” installed fromthe factory. The Master Lock variant of the square body padlock,however,doesnot seem to ship from the factorywith thisprotection.C

OneotherkeydistinctionbetweentheAmericanLockandMasterLockversionsofthisstyleofpadlockisthelackofpick-resistantpins.Aswasmentioned in Chapter 4, American Lock products are routinely

constructedwithahealthyassortmentofspooledandserratedpins(seeFigure 5.51) that can thwartmany picking attempts. TheMaster Lockversion of this line of products has no such protection… they are allstandard,cylindricalpinsineverychamber.

Figure 5.51 Pins from a modern padlock produced under the American Lock name.Serratedkeypins(shownontheleft)arepairedwithserrateddriverpins(shownontheright).Therewasevenaspooldriverpininonechamber(showninthemiddle,nearesttothespring).

Of course, in my view, the real tragedy here is that locks are stillshippingfromthefactoryvulnerabletoanattackwhichhasbeenknownand discussed publiclyD for years. This vulnerability would be totallyeliminated if the padlocksweremade to bekey retaining,much in theway that the U.S. Government version of the American Lock line ofproductsallare.

DoorBypassingThe previous three sections (discussing bump keys, comb picks, andpadlockbypasstools)involvemethodsofdefeatingpintumblerlocksbyinsertingnon-standardtoolsintothekeyway.Oneshouldneverdiscount

theabilitytoopendoorswithouteverinteractingwithanythingnearthelockmechanismitself,however.Perhapsthepurestformofbypassingiswhen one completely disregards a keyway entirely and attempts tosimplyspringadooropen.Theword“spring”isparticularlyrelevantinthiscontext,asmanyof

themostbasic“doorbypasses”involvetheexploitationofweak,spring-controlledmechanisms.Thetwomostcommonstylesofdoorbypassthatthissectionwilldiscussarethepoppingofspring-loadedlatchesinthedoorjambandmanipulationofspring-loadeddoorhandles.

Slipattacksagainstlatchbolts

There is a reason that anyone serious about securitywill insist that adeadboltbe installedonanydoorwhich isprotectinga sensitivearea.Deadbolts (aswe have seen in Chapter 1) derive their name from thefactthatthelockingbarremainsinastaticpositionuntilitisacteduponbytheturningofalockplug…itisa“dead”mechanismwithnoforcesorpressuresofitsownthatcancausemovement.Notalldoorsfeatureadeadbolt… but nearly every door has somemanner of simple latchingmechanism.Door latches (also sometimes called catches) are designed to hold a

door shut until a handle is turned. These devices are almost alwaysspring-loaded and typically involve a small protrusion of metal (thelatch) clicking intoplaceupona strikeplatemounted to thedoorjamb.For the user’s convenience, a key is typically not needed to operate alatch;simplypullingthedoorshutissufficienttoengageit.Often,itispossibletolockadoorknoborhandle,butthismerelypreventstheknobitselffromturning,itdoesnothingtosecurethelatchitself.Asanyonewho has watched old spy-themed TV shows knows, slipping thinmaterial(ontelevisionandinfilmsacreditcardisapopulardevicefor

this purpose) into the crack near the doorjamb can often result in thelatchbecomingdisengagedtemporarily.Thisisknownas“loiding”andmanytimesitworksjustasquicklyasviewersareledtobelieve.Whilecreditcardsandsimilarthinmaterialscansometimesworkon

doors that open inward (where all that is needed is simple pushingpressureappliedtothesideofthelatchthatfacesyouinthedoorjamb),it is also quite possible to attack doors that require pressure from theother,lessaccessible,side.Oneofmyfavoritestoriesaboutthetoolsandsupplies carried by certain penetration testers during red team auditswas told to me by an individual who participated in the DiscoveryChannelprogramTigerTeam.LukeMcComieisoftenheardpraisingthevirtues of having a “lucky number seven” in his tool bag on manyphysicalpenetrationtests(seeFigure5.52).

Figure5.52 Aphysicalpenetrationtester’s“luckynumberseven”.

Ahousenumbersevendigit(madeoutofmetal,preferablyasthinaspossible)isoftenaveryeffectivedoorjambshovingtool.Itiscapableof

not only triggering the release of a door latch with direct, frontalpressurebutcanalsobeusedtohookandgrabtheinwardsideofadoorlatchinmanyinstances.Itmayseeminelegant(andwouldn’tbeallowedin a professional lockpicking competition, of course), but duringpenetration testing, you should always use whatever means you haveavailable.Ifthatmeansbypassingadoorusingaluckynumbersevenasopposed to picking your way in… by all means go with whatever isfastest!

Triggeringdoorhandlesandpushbars

InordertocomplywiththeAmericanswithDisabilitiesAct,businessesno longer equip office doorswith round knobs. All door handles nowtendtobeofthetypeseeninFigure5.53,longandeasilygrasped.Manyoffice doors also feature push bars (sometimes called crash bars, seeFigure5.54),whichsimilarlyallowforgreaterease-of-use.

Figure5.53 AnADA-compliantdoorhandle.

Figure5.54 Apushbar(a.k.a.crashbarorpanicbar)installedtocomplywithfirecodes.

Thesetechnologiesallowdoorstobeoperatedmoreeasily,yes…buttheyalsofacilitateanumberofattacksthatcanbeexecutedif there isanyroomtoreacharoundorunderneaththedoor(duetolessthanidealmounting, lack of weather stripping, or other gaps that can naturallyoccurwhensecurityisnotconsideredduringadoor’sinstallation).Suchhardware is almost always found in facilities of all shapes and sizes,exceptthoserareinstanceswhenaninstitutionisworkingwithmaterialthatishighly-sensitiveenoughtobypassthe“safety-of-life”requirementsthatarecodifiedinlaw.Someof thebest and simplest additionsyoucanmake toaphysical

penetrationtoolbagareavailableatyourlocalhardwarestore.Browseany display ofmetal rod stock that you come across; often you’ll findthat someof the items there (seeFigure5.55) arewell-suited tobeingbent and formed into various useful shapes. Another utterly fabulous(and often cheaper) source of bendable metal rods are “sign holders”designed tobe inserted intoearthanddisplaymessages concerningan

OpenHouseorthelocationofabackyardparty,etc.Notonlyaretheseitems very affordable (I routinely acquire them for less than a dollareach)butasyoucanseeinFigure5.56,theycomebydefaultwithafewconvenient loops already in place. These can serve as effective andhelpfulhandles…allthatisneeded(typically)istobendthetipintoan“L”or“U”shapeinordertoreachthroughadoorjambandeithergrabalatchorimpactapushbar.

Figure5.55 Metal rod stock… incrediblyusefulwhen trying toengagehandles from theoppositesideofadoor.

Figure5.56 Metal“signholders”canalsobeincrediblyeffectiveandusefulbypasstools.Thepre-fabricatedloopsmakeexcellenthandles.

Perhapsoneofthebest(andmostentertaining)examplesofjusthoweasily security can be defeated using metal rods as bypass tools wasdemonstratedbyBarryWelsandHanFeyat the IT-DefenseconferenceinBrühl,GermanyinFebruaryof2010. Intheirvideo(ascreenshotofwhichcanbeseeninFigure5.57),Barrysuccessfullyopensahotelroombyinsertingalongmetalrodunderthedoor,grabbingthehandleontheinside.This attack is particularly interesting, given that themethodofentry bypasses not only amechanical lock, but also an electronic one.The full video can be viewed here… http://youtube.com/watch?v=WAkJRpKeyYg.

Figure 5.57 Barry Wels demonstrating the “under door metal rod” attack in a videopresentedatthe2010IT-DefenseconferenceinGermany.

(CourtesyofBarryWeis.)

Many facilities engineers pay greater attention to protecting thecrevicesaroundandbeneaththeirdoors,ofcourse.(Thisisnottypicallyduetoconcernsofsecurity,butratherintheinterestofkeepingouttheelements, reducing heating and cooling costs, andmuffling noise.)Myassociates and I have discovered a rather unique avenue of attack,however, that is often available in office and hotel settings on doorswhichmightotherwiseappeartobeprotectedfromtypicalattemptstoreachtheinsidehandle.In professional spaces used for meetings, it has become a popular

trend to install peepholes on doors to conference rooms. This allowspassersbyinthehallwaytounobtrusivelyinspectaroomandseeifitisoccupied before attempting entry. This is a nice feature that can helpavoid interrupting any business that may be taking place, but itintroducesasecurityflaw.Asyouhavenodoubtnoticed(andcanseeinFigure 5.58), the optical element within a peephole does not performequally in each direction. In order to achieve the necessary field-of-

vision, peepholes such as this tend to be mounted backwards. Thisexposes the “insecure” side of the door (the side facing out into ahallwayorothercommonarea)tothemountingthreadsandtoolslotonthepeephole.

Figure5.58 Peepholesarenotbi-directionaldevices.Thefield-of-visionoftendictatesthatwhen installed inofficemeeting rooms, the insecure sideof apeephole facesa commonarea,suchasahallway.

Inapinch,itissometimespossibletounscrewandpopapeepholeoutofitsdoor,resultinginanexposedholenearlyahalfinchindiameter.Throughthishole itcanbepossible toattemptattacksagainsthandlesontheinsideofthedoor.Metalrodsorevenloopsofstrongcordcanbeused, ifonehasagoodsenseofwherethehandle ispositionedontheother side. This attack was demonstrated to great effect by notedsecurity researcher C-P during the seventh NotACon conference inCleveland,Ohio.DoIexpectthisvulnerabilitytobeexploitednumeroustimesintherealworld?No,Idonot;butitisworthconsidering,ifyou

areassessingacompany’ssecurityposture…orevaluatingyourown.

SummaryInpreviouschaptersofthisbookwehavefocusedexclusivelyonfinesseattacks against lock mechanisms themselves. It is always important,however, to remember that as a penetration tester your goal is not toexploit only the most difficult flaws in security using only advancedtechniques.Relyuponwhatevergetsyouinquickly,easily,andcleanly.A solid grasp of bypassing techniques can often be the differencebetween being spotted by security personnel and slipping past adefensiveperimeterbeforeanyonehastimetonoticeorreact.

AIdonotmeannearlyallmodelsofpintumblerlockarevulnerable,althoughmostofthemare.

Rather,myassertionthatthe“vastmajority”oflocksarevulnerableisduetothefactthat

cheaplockswithlittletonoprotectionshavemuchgreatermarketpenetrationthan

competinglockswhichoffersomedegreeofprotection.Untilmanufacturerssimplystop

producinglocksthataresusceptibletobumping,itislikelythatconsumerswillcontinue

buyingandinstallinglocksthatcanbebumped.

BHence,theAmerican2000series…alsoknownasthe“puckstyle”or“shackle-less”padlock.

Thislockcannotbebypassedandisaverysolid,robustunit.Indeed,thepublicityofthe

bypassattackwaspartoftheevolutionthatleduptothislockbeingproduced.Thatstoryis

wonderfullyillustrativeevidenceofthefactthatindependentsecurityresearchersand

responsiblepublicdisclosureofvulnerabilitiesultimatelyresultinbettersecurityforallofus.

CTheMasterLockdesignplacesthe“halfcircle”onthetailoftheplugandthe“quartercircle”

onthecontrolcaminaslightlydifferentalignment,makingPeterson’soriginaltoolquite

difficulttouse…however,thesameweaknessispresentinthelock.Withsomeadditional

dedicatedresearchandengineeringitislikelythattheMasterLockproductcouldbeexploited

inthesameway.

DIdemonstratedtheAmericanLockbypassaspartoftheclosingofmyfirstlectureatthe

DEFCONsecurityconferenceinthesummerof2005.

Chapter6

TheyAllComeTumblingDown—PinTumblersinOtherConfigurations

ChapterOutline

TubularLocksCruciformLocksDimpleLocksTheSecretWeaknessin90%ofPadlocksSummary

Fromthestartofthisbook,wehavespentagreatdealoftimefocusingonpintumblerlocks.Chapters1and2dedicatedagreatmanydiagramstoillustrationsofhowtheselocksareconstructedandfunction.Chapters3and4containedmanyguidesandexercisesregardinghowtousebasiclockpickingtoolsinordertomanipulateandopentheselocks.However,thus far the material presented has focused almost entirely on pintumbler locks of the common “bittedblade” variety…which feature a“vertical” keyway and a row of pin stacks running along a single,uniformvectorsuchthatthekeypinsridealongthethinedgeofakey.Notallpintumblerlocksareofthisstyle,however.Indeed,therearea

numberofotherpopularmethodsoforientingpinstackswithinalock.The styles of lockpicks and techniques that may be used whenattemptingtoexploit theseproductsarealsorathervariedandunique.This chapter will present an overview of some of the most common“alternative”designs of pin tumbler lock and summarize the tools andtacticswhichcanbeeffectiveagainstthem.

TubularLocksManyofyoumayhaveencounteredtubularlocksatsomepointintime.Sometimes theyalso called “ChicagoLocks”or “AceLocks”due to thefact that the first widely-successful lock in this style was the modelnamed “Ace” produced by the Chicago Lock Company. However,presently the design has been adopted by a number of othermanufacturersaroundtheworld,mostofwhomhavenoaffiliationwiththeoriginator. It is for that reason that thename“tubular lock” is thebest designation for this style of hardware. An assortment of tubularlockscanbeseeninFigure6.1.

Figure6.1 Threedifferent tubular locks.The first isagun lockbyDacTechnologies, thesecondisthevenerableAcelockproducedbytheChicagoLockCompany,andthethirdisano-namegenericcopyof theoriginalChicagodesign.Noticethatwhileall three locks featurethe“keycentering”notchinthetopdeadcenterposition,onlytheAcelockhasanadditionalnotchthatallowsthekeytoberemovedwiththeplugturnedandtheunit“lockedopen”.

Whiletheselocksmightinitiallyappeartobeverydifferentfromallofthe hardware that we’ve been discussing thus far in the book, in factthey operate bymeans of simple pin tumblermechanisms the likes ofwhichwerefirstseenbackatthestartofChapter1.Let’slookmorecloselyatthecomponentsandconstructionoftubular

locks. The similarities to the basic “blade key” design will becomeapparent.

Insideatubularlock

Nearly all tubular locks have a round housing, often one featuring aprominent lip or collar that helps to align the lock flush against amounting surface.The left sideof Figure6.2 shows aphotographof atypical tubular lock housing; the right side shows a cross-sectionaldiagramofthissamepieceofmetal.

Figure6.2 Atubularlockhousing.Theroundholecutintothefrontfaceofthehousingisofasomewhatsmallerdiameterthanthelargerchamberfoundwithin.

Tubularlockshaveplugs,muchlikeotherpintumblerlocks.Theyarecircular,allowingrotation,butnaturallytheyhaveadistinctappearanceunlikeanythingwehaveexamined thus far in thisbook.Perhapsmostdistinctiswherethepinchambersaredrilled.Figures6.3and6.4showatubularlockplugandthecreationofthesechambers.

Figure6.3 Atubularlockplug.Itisinsertedintothehousingfromthetailsideduringtheassemblyofalock.

Figure 6.4 A tubular lock plug with the pinning chambers drilled. They are drilledcompletelythoughthemiddleflangesectionofthispieceofmetal.

Thereisanadditionalcomponenttoatubularlock’shousing,calleda“barrel”,whichisinsertedintothelockaftertheplugduringassembly.It is often held in place by means of a small screw or pin which isinsertedinaholetothetailsideof thehousing.Figure6.5 shows this

additionalpieceofhousingbeinginsertedintoplaceandFigure6.6callsattentiontotheretainingpin.Naturally,however,thepinwouldnotbepoundedintoplaceatthismoment,giventhattherearenopinsinplacejustyet.ThepinsareomittedinthosetwoFigurestokeepthediagramslessbusy;Figure6.7showsatubularlockfully-assembled.

Figure6.5 Thebarrelcomponentofatubularlock’shousing.Canyouseewhereithasbeeninsertedinthediagramontherightside?Thisiswheretherestofthepinchambersexistinatubularlock.

Figure6.6 Showingwherea retainingpinwouldbe installed in thehousingofa tubularlock. This locks the barrel (which is shown in the photo on the left) to the overall housing.Normally the lockwouldnotbe fused togetherat thispoint,asnopinstacksarepresent.Keypins, driver pins, and springs would normally be inserted into the plug and barrel, then thewholeaffairwouldbeinstalledandfusedinplacewiththisretainingpin.

Figure 6.7 A diagram of a fully-assembled tubular lock. Naturally, this image cannotrepresent thecompletearrayofpin stacks,as someof themwouldbe“behind”others,on the“far”sideoftheplug,inthisside-viewperspective.

Whena tubular lock isat rest, the springspushallpiecesof thepinstack toward the front face. In each chamber, driver pins are sittingpartiallywithin the plug and partially in the barrel. For the plug of atubular lock to turn freely, the pin stacksmust be pushed back awayfromthefrontface,tovaryingdegrees,inordertoallowthepinstackstomeettheshearlineinbetweentheplugandhousinginsert(seeFigure6.8).

Figure6.8 A tubular lockwith its pin stacks pushed to the various depths necessary inordertofreetheplugandallowrotation.Allofthedriverpinshavebeenpushedoutoftheplugandaresetexactlyattheshearline.

Usersoftubularlocksareabletoquicklyandeasilypushallofthepinstackssimultaneouslybymeansofthesimpleandyetelegantdesignofatubularkey.Notchesarecut intothemetalofatubularkeyarounditscircumference.Thesenotchesvaryinsize(seeFigure6.9).

Figure6.9 Tubularlockkeys.Noticethebittingnotchescuttovariousdepthsaroundthetipofthekey.

All of thismight seemdaunting, but remember… this lock typicallyreliesonbasicpinstacks,thelikesofwhichwehaveencounteredbeforeasfarbackasChapter1.

Picktoolsfortubularlocks

Now,itmayseemtosomepeoplethatsuchalockwouldbeeasytopick,given that every single pin stack is exposed to the user. Indeed, somepeopledotrytopicktubularlocksbyapplyingslighttensiontotheplug(often by inserting a small squared tension tool into the key-centeringnotch)andstabbingstraightatthepinswithasmall,thintool…oftenahalfdiamondpick.Thistechniquewilloftenworkasameansofsettingthepinstacksattheshearline,butsuchsuccessisoftenshort-lived.Yes,theplugwillbefree to rotate…but it canonlybe turned slightly (usuallybetween45and50degrees)beforethepinchambersoftheplugandthebarrelline

up(not in theiroriginalpattern,ofcourse…nownew chambersof theplug and the housingwill align) andmost of the pin stackswill snapbackintoplace. Inordertopickatubular lockinthismanner,tensionwouldhave to be consistently applied and the attackerwouldhave tometiculouslypushuponthepinstacksasmanyassevenoreighttimes!Fortunately,therearemoreefficientwaysofpickingtubularlocks.Aspecializedpicktoolsisneeded,however(seeFigure6.10).

Figure6.10 A tubular lockpick tool.Manyvendorsproducevariantsof this tool,but theoveralldesignremainsthesameinalmostallcases.

A tubular lockpick tool can simulate the various bitting cuts on atubularkeybymeansofaseriesofscallopedchannelsonitstipwhichcontain movable feelers (see Figure 6.11). Depending on where thefeelers are positioned, the channel can simulate anything from a totalnon-cut(blankkey)toaverydeepcut(typicallyadepthofseven).

Figure 6.11 The working tip of a tubular lockpick tool. Notice the channels and themovablefeelers(thestripsofdarkmetal)whichcanbeadjustedtoanyposition.

The feelers reside in small channels cut into the tool’s cylindricalshaft.Whilesimpleversionsofthistypeofpickdonotofferanylevelofsophisticationbeyond that,mosthigh-quality tubularpick toolson themarket today incorporate some means of controlling how “tight” thefeelers are. Often, this is achieved by means of a screw collar. Thevarious componentsof sucha collar are showndisassembled inFigure6.12.

Figure6.12 The various components of a tubular lockpick’s adjustable collar.Often thelargestring(shownonthefarleft)ridesuponathreadedscrewsurface.Beneathitsitsasmallmetalflange.BeneaththeflangeisarubberO-ring.Asthelargeringisscreweddownuponthecollar,thisputspressureontheflange,whichinturnsqueezestheO-ring.Themoretherubber

O-ring is sandwiched, the more it presses up against the metal feelers, restricting theirmovement.

It is possible to completely disassemble and remove the adjustablecollaronthisstyleofpicktool.Ifyouwishtomodifyyourtool’sfeelersorotherwisecustomizeyourpick,this isoftenachievedbyremovingasmallscreworhexnutthatholdsthecollarinplace(seeFigure6.13).

Figure 6.13 The retaining screw that holds this tubular pick tool’s adjustable collar inplace.Byremovingit,theentirepickcanbedisassembled.

One of themost commonmodifications (onewhich I perform uponevery new tubular lockpicking tool that I acquire) is the removal of a“resetwasher”which is often installed by default. Thiswasher,whichyoumay have seen on such tools in the past, serves almost no usefulfunction and (in my opinion) gets in the way. By removing theadjustablecollaryoucangetthatwasheroutofthere.

Warning

While there are a number of usefulmodifications that canbeperformedon a tubular pick,

take cautionwhendisassembling oneof these tools. The feelers are likely to all popout of

theirchannelsandfallontothetable.Donotworrytoomuch,astheyarealltypicallyuniform

andcanbe reassembled in anymanner. Still, take cautionyoudon’t lose them.Also,when

reassemblingatubularpick,donotretightenthescreworhexnuttoomuch.Moveeachofthe

feelersinitschamber…theyallshouldhaveuniformandequal“tightness”atanygiventime.

Overtighteningoftheassemblyscrewwilloftencausethefeelersontheoppositesideofthe

pick’sshafttobecomeimmovable.Backthescrewoffuntilallfeelershaveuniformmovement.

I am often asked exactlywhat the best setting is for this adjustablecollar component on a tubular pick tool. Like many aspects oflockpicking, there is no single hard-and-fast rule uponwhich you canrely…butIhavefoundwhatIbelievetobeadecent“average”standardthatyoucanat leastuseasabenchmark.Trythe following…unscrewthe adjustable ring somewhat on your tubular pick. Now, using just asingle finger, spin it back in the “tightening” direction until it stops.Fromthispointofslightfriction,turntheringanadditionalquarter-turntighter. That is a healthy baseline.Many simple lockswill require lesstightness thanthis.Someadvanced locks(whichwewilldiscuss in theupcoming section, “PickingTubularLocks”) requireadditional stiffnessinthefeelers.

Note

Someindividualsspeakofadjustingatubularpicktool’soverall“tension”andwhileIsuppose

thistermapplies,Itendtoshyawayfromitgiventhattheconceptof“tension”isalreadyan

integralpartoflockpickingandthattermisusedinotherwaysunrelatedtoadjustmentsona

tubularpicktool.Inthisbook,the“tightness”ofthefeelerswillbereferenced.Thetermmay

soundslightlymorepedestrian,butIfeelitisperhapsthebestwordtouse.

ThepickpicturedinFigures6.10through6.13 isa fineproductandsuitable for tacklingmost7-pin tubular locks.The tool’smanufacturer,

SouthernOrdinance,alsoproducesan8-pinmodelofasimilardesign.Iownboth,butcarryingthemalwaysfeltlikesomethingofachoretomegivenhowinfrequentlyoneeverencountersan8-pintubularlockinthefield.Still,myBoyScoutpreparednesswouldn’tallowmetoexcludeitfrommypenetrationtestingkit.Imaginemydelightwhenanother company,Georgia-basedSouthern

Specialties, designed a remarkable tubular pick that can provide thefunctionality of both of the above tools, all in a single package. Thiscompany’s chief designer, Richard Stapleford, had an epiphany andcreateda terrificone-pick-fits-all solutionbydesigninga tool inwhichthecenteringpincanbemovedfromonepositiontoanother(seeFigure6.14).

Figure6.14 Left:TheheadonthemainshaftofStapleford’stubularpickismachinedwithperimetergrooves thataccept the feelersof thepick,while thereare twodistinctholeson theinsidelipwhereacenteringpincanbeinstalled.Middle:Thepickisconfiguredforattacking7-pinlocks.Oneoftheeightperimetergroovesdoesnothaveafeelerinstalledandthecenteringpinisaffixedinthisblankposition.Right:Thepickisnowconfiguredforattacking8-pinlocks.Allperimetergrooveshavefeelers installed,andthecenteringpin isnowlocatedatapositionwhichisin-betweentwogrooves.(Thiswouldalsoworkforpickingtheveryrare“7-pinoffset”styleoftubularlocks.)

ThistoolcostsalittlemorethantheSouthernOrdinanceofferings,butitquicklybecamewhatIpreferredtokeepinmykit,notonlyduetoitsmorecompactsize(asopposedtocarryingmultipleseparatetools)butalsobecause I love itsmore“solid”and“complete” feel.Thehandle is

metalasopposedtorubberandthetoolshipswithafullservicekitandspareparts(seeFigure6.15).

Figure 6.15 The Southern Specialties “combination” pick ships with extra feelers,replacementO-rings,sparecenteringpins,andallthetoolsnecessarytoservicethepickyourself.(Thelong,curledmetalrodisusedtoremovethecenteringpinifyouarechangingfrom7-pinto8-pinpickingmode.Slots cut into the shaftof thepickenableyou topoke in frombehind thecenteringpininordertopopitoutifyouwishtochangeitsposition.)

Acommonmisconceptionabouttubularlockpicksisthat,becausethefeelers feature “handles” (actually, just bent segments) down by thelarge,maingrip,theusersomehowmanipulatestheseindividualfeelerswhen working with the tool. This is not the case with either of thetubularpicksIhaveshownthusfar.The one exception to this rule is in the use of the PRO-1 Tubular

LockpickmanufacturedbyPetersonTools (seeFigure6.16). This is anadvanced device (with a price tag to match) that can be used tomanipulatepinstacksindividually.Insteadofflatmetalfeelers,thePRO-1 pick operates using small, stiff wires which can be aligned andconfiguredinvariouswaysusinganassortmentofinterchangeableheads(see Figure 6.17).When a head piece is selected and installed on thePRO-1pick, it “becomes” the tool that theuser needs in thatmoment

(seeFigure6.18).HeadsareavailableforthePetersonpickinavarietyof cylinder diameters of both 7-pin and 8-pin locks. The tool alsofeaturesadjustabletensioning/lockingcontrolsforeachfeelerwire(seeFigure6.19).

Figure6.16 This is thePetersonManufacturingPRO-1tubularpick.Asyoucansee, it isnotatallsimilarinappearancetotheothertubulartoolswehavediscussedthusfar.

(Photocourtesyofdatagram.)

Figure6.17 ThePRO-1functionsbymeansofassortedinterchangeableheads.(Allaresoldseparately,typicallyforaround$50each.Thepickitselfretailsinexcessof$300.)Theseheadsguidethefeelerwiresintothenecessarypositionstoattackawiderangeoflocks.

(Photocourtesyofdatagram.)

Figure6.18 Withaheadinstalled(securedwithaseparatelockingcollar,thesilverringofmetal)thetipisconfiguredandreadytomanipulateatubularlock.TheprocessforusingaPRO-

1toolisconsiderablyinvolvedandgoesbeyondthescopeofwhatwewilldiscusshere.

(Photocourtesyofdatagram.)

Figure6.19 Eachpin stackofyour target lockcanbemanipulated individuallyby theseseparateadjustable(andlockable)thimblesontherearsideofeachwire.Again,theprocessbywhichauseractuallyoperatesaPRO-1pickisconsiderablydetailedandwewillnotdiscussithere.

Fortunately, most tubular locks do not require anything sosophisticatedasthePetersonpick.TheSouthernSpecialtiesoreventheSouthern Ordinance tubular tools are more than adequate in manysituations.Pickingtubularlocksisanintricateprocess,butonethatcanbe infinitely easierwith the right tool. The next section describes twodifferentwaysthatpeoplesometimeschoosetouseatubularpick.

Pickingtubularlocks

For the most part, the process of using a tubular pick tool involvespushing all of the feelers up flush with the tip of the tool, thenmanipulating thepick in the lock in such away as to slowly inch thefeelers intothecorrectpositions.Asreferencedintheprevioussection,“Pick Tools for Tubular Locks”, the feelers are not manipulatedmanually. Rather, through actions within the lock, the pin stacksthemselves will naturally tend to push the feelers into the correctposition.

Zeroingthepick

Theremaybemultiplewaysofusingatubularlockpick,butpreparingthetoolisalwaysperformedinthesameway.Inorderto“zero”thefeelersthey are traditionally pushed upward, beyond the tip of the tool’sworkingshaft(seeFigure6.20)andthenthetoolitselfispressedagainsta hard, flat surface (see Figure 6.21) in order tomake the tips of thefeelersperfectlyflushwiththetip(seeFigure6.22).Whilethis isoftenreferred to as “zeroing” the tool (in that a bitting code of zero istypicallyrepresentativeofnocutatallonakey),thetermisnot100%accurateinthiscontext,giventhatbysomestandardsabittingcodeofeight represents no cut at all. Still, given the prevalence of the term, Iwouldnotconsideritimpropertospeakof“zeroing”atubularpicktoolwhenthisprocessisperformed.

Figure6.20 Atubularpickwithallofitsfeelerspushedupward,beyondtheworkingtip.

Figure6.21 Pressingatubularpickintoaflat,hardsurfaceinorderto“zero”thetipofthefeelers.

Figure6.22 Thepicktoolisnowfullyresetandreadytobeusedinalock.

Asmentionedatthestartofthissection,therearetwomainwaysofusing a tubular pick tool. In each case, however, it is important to bemindfulofhowthistoolshouldbeinsertedintothelock.

Insertingthepick

Tubular pick tools rarely, if ever, feature a prominent point of metalsticking outward from the cylindrical shaft (the “outer centering bit”).Tubularkeysalmostalwaysfeatureasmallbumporprotrusionofmetalupontheirinnersurface(an“innercenteringbit”)whichcanalignwithaslotontheplugofthelock.Align the pick tool properly at the face of the lock. Insert the tool

directly into the lockas faras itwill travel.Takecare topositionandmove the pick in a direct parallel with how the lock is oriented (seeFigure6.23).Ifyouattempttoinsertthetoolatanoff-centerangle(asshown,perhapsabitexaggeratedly,inFigure6.24)thiscandisturbthefeelersandpushthemoutofpositionaccidentally.

Figure6.23 Atubularpickshouldalwaysbeinsertedinastraight,directmanner.

Figure6.24 TakecaretoNOTeverinsertthetubulartoolatanoff-angle.Thiscandisturbthepositionofsomeofthefeelers.

In general, a tubular pick should feel relatively smooth and

unobstructed when being inserted into a lock. Occasionally, the “keycenteringnotches”onaplugwillbeabitsmall,andthefirsttimeyourpickisinserteditmightseemabitstifforresistant.Ifyouareunsureasto whether or not you inserted your pick properly, remove it andobserve the feelers. The next section, “Working the Pick”, offers someadviceas tohow theappearanceof the feelers can indicatewhether amistakehasbeenmade.

Workingthepick

Aswe begin discussion of how tomanipulate a tubular lockwith thisstyleofpicktool,itisagoodideatoexaminesomespecificsofhowthefeelers move on this pick tool. Observe the three companion imagesshowninFigure6.25.

•Ontheleftisanimageshowingafeelerthathasmovedpartwaydownin itsworkingspace.Youare likely toseemanyfeelers thatmove inthisfashion.•Inthemiddleisanimageshowingafeelerthathasmovedallthewaytothemaximumcutdepthforaparticularpositiononatubularkey.You won’t encounter this quite as often when picking most locks.Super-deep cuts like this don’t occur as frequently on keys.Encounteringafeelermovedtothispositiononyourpickcanbeasignof aproblematicpin stack (usually onewith a very stiff spring) thatwillrequireextraattention.•Ontherightisanimageshowingafeelerthathasbeenmoveddeeperthan thedeepestcutposition.This isa sign that somethinghasgonewrong;more than likely thepick tool snagged theedgeof the lock’shousingwhenitwasbeinginsertedintotheplug.

Figure6.25 Threepossiblepositionswhereafeelercanmoveduringtheuseofatubularpick.

It ismyhope that these threedistinct feelermovementsareclear toyou.Theywillbereferencedaswediscussthetwoprimarymethodsofusingthetubularpick.

Theside-to-siderockingtechnique

ThefirstmethodoftubularpickingthatIeverlearnedwastheside-to-side rocking technique. This is straightforward to understand, easy toperform, and has a relatively decent success rate against tubular locksthatfeaturenospecialprotections.Begin by “zeroing” the feelers as shown in Figures 6.20 and 6.21.

InsertthepickdirectlyandcompletelyintotheplugasshowninFigure6.23.With thepick toolall theway in, rock itbyattempting torotatethe plug clockwise and counter clockwise with amotion indicated byFigure 6.26. The plug won’t be able to move very far, and you maybelieve that you’re not accomplishing anything at all. If you were toremove thepick tool, however, chances are you’dnotice thatmanyoffeelershavemoved.Howisthispossible?

Figure6.26 Rotatingthepicktoolbothclockwiseandcounterclockwise inanattempttocausepinstackstobind.Donotletthesizeofthearrowmisleadyou,initiallyyouwillnotbecapableofagreatdealofrotationalmovement…butkeepatit.Itwillbehaveaneffect.

Thereasonhastodowithhowbindingpinscausemovementofapinstack.Recallback inChapter2whenwe firstdiscussedpin stacksandthe binding of driver pins in the shear line. Figure 2.7 showed themotionofadriverpinasitbecamewedgedintheshearlinewhentheplug was exposed to a rotational force. What may not have been asobvious back then (given that it was immaterial at the time andtherefore not discussed) was the fact that the driver pin’s becomingslightlyangledtothesidealsoputsadditionalpressureuponthekeypin.Thishasessentiallynoeffectwhenworkingwithconventionalpicktoolsinsideofablade-key-stylepintumblerlock…thepinstacksarealreadyrestinginthe“bottom”oftheirchamberswhentheprocessbegins.Inatubular lock,however, thepinstacksare sittingatop the feelersof thepick.Thesefeelersarecapableofmoving,ofcourse.Thus,whenyourockthepicktoolinalternatingdirectionsasshowninFigure6.26,someof

thepinstackswillbebinding.Thepins in thesebindingstackswillbe“wigglinginplace”slightly,andthiswillbebringingpressureuponthefeelers of those chambers. The feeler of a binding stack will moveslightly,but(intheory)itshouldonlyslidetothedepthatwhichthepinstackaboveitisnolongerbinding.Whyisthat?Becauseifthepinstackisattheproperheightandnolongerbinding,thepinsofthatchambershould no longer be “wiggling” in place. Continued oscillation of thepicktoolbackandforthshouldbringaboutsimilarmovementbypinsinotherchambersastheystarttobind.Intubularlocksthatfeaturenospecialprotectionsagainstpickingand

manipulation, this technique will often produce results in amatter ofminutes.

Thein-and-outpressingtechnique

A rather different technique than the one described in the previoussection,thisisamethodsomewhatinbetweenanoverliftingattackandan impressioning attack. Some of my associates have great successattackingtubular locksby inserting theirpick tool (properlyzeroed,ofcourse)intothelockalltheway,applyingsomerotationalturningforceinonedirection,andthenmovingthetooloutslightlyandthenpressingitback inagain.Figure6.27attempts to indicate the seriesofmotionsthatareinvolvedinthisprocess.

Figure6.27 An attempt to diagram the In-and-Out Pressing Technique. The pick tool isfullyinserted,rotatedtooneside,andthenmovedinandouttoverysmalldegrees.

Ultimately,what one is trying to accomplish by this technique is topushallofthepinstacksoutpasttheshearline,thenallowingthemtoslowly fall back toward the face of the lock while the plug is undertension. The alternative movement can also work in the same way…pushingthetoolfurtherintotheplugwhileitisundertension.Inbothcases,thenotionistohopefullycatchthesplitbetweenthekeypinandthedriverpinattheshearline.This technique (inmyview) takesa littlemoregettingused to than

the “Side-to-Side Rocking Technique,” but I have seen it producesuccessfulresultsinamatterofsecondsasopposedtominutes.Beawarethatatubularpicktoolcanberemovedfromthelockatany

timeandfromanyposition,becauseitdoesnothaveanoutercenteringbitlikemostkeys.Becauseofthis,itispossibletodenyotheruserseasyoperation of a tubular lock. If you have successfully picked a tubularlock and remove your toolwith the plug turned to any position other

than the default, resting position the result will be similar to what isseeninFigure6.28.Yes,thisisasuccessfulopeningattempt…butnowthe lock is inoperable, even with the proper key. The only course ofactionatthistime(otherthanfilingtheoutercenteringbitoffthekey)wouldbetousethepicktooltomanipulatethelockshutagain.

Figure6.28 Atubularlockthathasbeenpickedopenandcannownolongerbeoperatedbythekey.Itwillremain“stuck”likethisuntilatubularpicktoolisusedtorotatetheplugbacktothedefaultpositionagain.

Pick-resistanttubularlocks

As was seen in Chapter 4, some manufacturers make changes to thecomponentsoftheirpinsstacksinordertoproducelocksthatarehardertoattack.This isascommonapracticewithtubular locksaswithflat-blade-keylocks.

Variedspringstrength

ThemosttypicaldifficultythatIhaveencounteredwhenpickingtubular

locks is the use of different styles and strengths of springs in variouschambers. The Chicago Lock Company, originator of the tubular lockdesign,hasbeenincorporatingthisfeatureintheirlocksforquitesometime.Thesecond-generationAcelocksareparticularlyhardfornovicestopickforthisreason.Itwouldnotbe suchaproblem ifallof thepinchambershadhigh-strength springs. One could merely calibrate the tubular pick tool forexcessivestiffness(bytighteningtheadjustmentcollarconsiderably)andproceed.However,inalockwithassortedspringstrengths,thatmethodwill not work. Too much stiffness will all but prevent the pin stacksfeaturing“average”springsfrommoving.Toolittlestiffnesswillresultinwaytoomuchmovementbypinstacksfeaturing“high-strength”springs.Sowhatisthesolution?Often, the best approach is a two-stage approach. Begin by zeroingyour pick and adjusting the stiffness to what I described as a decent,average level.Thumb-tighten the ringuntil it stops, thengrip it firmlyandprovideanadditionalquarter-turn.Insertthepickdirectlyintothelockandthenremoveit.Observethefeelers. In an ideal world, a few of themmight havemoved (perhapsquitesignificantly,downtothebottomoftheirbittingcutsasseeninthemiddle photo in Figure 6.25) while others have remained stationary.That’s what you want to see. The chambers where the feelers havemovedsignificantlycontainhigh-strengthsprings.Ignorethosefornow;wewillcomebacktotheminamoment.Proceed with the oscillating movement as shown in Figure 6.26. (Ifindthe“Side-to-SideRockingTechnique”tobeofgreatestuseinthesecases.)Afteratime,removethepickfromthelock.Observethefeelers.Someofthemshouldhavemovedpartwaydown,andofcoursetheonesthatmovedcompletelydown(asseeninthepreviousparagraph)willstill

be in that position. Figure 6.29 shows an example of this… the feeleridentified as#1was facing a high-strength spring and is likely out ofpositionatthistime;feeler#2wasfacingaconventionalspringandmayhaverockedintothecorrectposition.

Figure 6.29 Comparing the difference between high-strength and conventional springswithin tubular pin stacks. After some rocking back and forth, it appears that the lower feeler(#2)mayhavemovedintotheproperposition.Thefeelerseenabove(#1)isallthewayatthe“deepest”depthandhaslikelyencounteredahigh-strengthspringbehindthepinstackwhereitwaspressing.

Ifyouencounterthis,allhopeisnotlost.Onthecontrary,youmaybehalfway there. Use this time now to reset the feelers, but only in pinstacksthatyoususpecthavehigh-strengthsprings.ObservethephotoinFigure 6.30. Feeler #1 has been reset back to its “zeroed” position.Feeler#2hasbeenleftundisturbed.

Figure6.30 Feeler#1hasbeen reset to its startingposition,but feeler#2hasbeen leftwhereitwas.Thepicktoolisnearlyreadyforasecondpass.

With some selective resets performed, it is now time to increase thestiffness of your feelers. Turn the adjusting ring an additional quarter-turnorperhapsevenahalf-turn.Thiswilleffectively lock inplace thefeelersthatwerefacingconventionalsprings(thesefeelersdonotneedto move any further, since they are likely in the correct positionsalready)andnowyoushouldhaveenoughstiffnesstotrytotacklethehigh-strengthpinstacksasecondtime.Youcancheckifyouhavedialedupthestiffnessenoughbyinsertingandremovingthepickonetime.Haveanyofthefeelersmovedallthewaybacktotheirdeepestpositionagain?Iftheyhave,resetthemagainandadjusttoevengreaterstiffness.Fortubularlockswhoseonlyprotectionisvariedspringstrength,thistechniqueisoftenthemosteffective.

Highersecuritypinsintubularlocks

Some tubular lock manufacturers incorporate changes not just to thesprings but also to the pins within their locks. These changes are alsogeared towardsmaking the locksmore secure. One interesting featurethatIhaveencounteredtoagreatdegreecouldbecalled,forlackofabetterterm,“longposts”onthedriverpins.DidanyofyounoticebackinFigure6.7,whenwe first saw the diagramof an assembled tubularlock, that the pin chamberswere cut rather deeply into the barrel? Insomelocksthiscanresultinthepotentialforanoverliftingattack.SeeninFigure6.31,ifthereistoomuchroominapinchamber,theentirepinstackcanbepushedoutoftheplug,allowingittorotatefreely.

Figure6.31 Overliftingthepinsofatubularlock.

In order to prevent this, some manufacturers will incorporate longpostsonthetailsideoftheirdriverpins(seeFigure6.32).Thesepostsalso have the virtue of helping to guide and align the springs duringassemblyandoperationofthelock.

Figure6.32 The pin stack shown at the top of this diagram includes a driver pin thatfeaturesalongpostonitstailside.

Beyond the “anti-overlifting” posts, some manufacturers willincorporatespecially-shapedkeypinsanddriverpinswhichattempttofrustratethetwostylesofattackdescribedinthischapter.SomeofthesepinshapesareshowninFigure6.33.

Figure6.33 Additionalprotectionsinatubularlock.Again,directyourattentiontothetoppinstackinthisdiagram.Thekeypinhasataperededgeandthedriverpinhasamushroomlip.

Attackingatubularlockthatfeaturesanti-pickfeaturessuchasthisineverychamberwouldlikelyprovetobequitedifficult.ItisquitelikelythatpickingattemptswouldfailwithanythingotherthanatoollikethePetersonpick.

Oddstylesoftubularlocks

I have occasionally encountered some rather strange (perhaps somewould simply say “unique”) tubular locks. A variant that I haveencountered with greater frequency than any other is a tubular lockwithoutany“key-centering”notchontheplug.SuchalockisshowninFigure6.34.Duringusage,theplugobtainsallofitsturningforcesimplyfromtheportionsofthekeypinsthatarestickingupintothebittingcutsof the key. It is quitedifficult to attack such a lockwith conventionaltubular picks, given that the normalmethod of using these tools is tobeginwithallfeelersoutatthe“blankkey”position.Itisnotpossibleto“grab”ontotheplug likethis.Additionally, the lackofakey-centeringnotch on the plug often will prevent a tubular pick tool from evenseatingproperly in the lock.Theonlywaytoattacksuch locks iswithspecialized tools, often ones developed in the part of theworldwherethelocksareprevalent.ThelockinFigure6.34isfromSoutheastAsia.ItcanonlybeattackedwiththepicktoolshowninFigure6.35,whichTheOpenOrganisationOf Lockpickers obtained from a locksmith inKualaLumpur.

Figure6.34 An unconventional (by our standards here in North America) tubular lock.Noticehowthereisnokey-centeringnotchontheplug.

Figure6.35 An assortment ofmulti-piece tubular pick tools obtainedwhen traveling inMalaysia.ThesearetheonlytoolsweownwhichcansuccessfullyattackthelockseeninFigure6.34. As you can see, they operate in a similar fashion to the pick tools seen earlier in thischapter(theyhaveaseriesof“feelers” thatcanmove independently)but theyaremuchmorecomplicatedtouse.

CruciformLocksThereisastyleoflockthatsomepeopleinNorthAmericamaynothave

encounteredveryoften(ifatall)butwhichisverypopularinotherpartsoftheworld(specificallyAsia,thePacificRim,andSouthAmerica)andthereforedeservesmentionhere. Iamspeakingaboutcruciformlocks…alsoknownas cross locksorZeiss locks.1While the keys of these locksmaylookintimidatingatfirstglance(seeFigure6.36),theyare,infact,nothingmorethanauniquestyleofpintumblerlock.Eachbladesurfaceof the key rides along its own separate channel in the plug and caninteractwithitsownuniquerowofpinstacks.Typically,theserowsarethree or four pin stacks deep. Also typical of this style of lock is thepresence of a “blank” channel in the plug. In spite of having theappearanceof fourbitted sides (indeed, thekeys to the lock shown inFigure6.36dohavebitting cuts on all four surfaces), the lock itself isonlypinnedinthreeofthefourchannels.

Figure6.36 Acruciformlockanditskeys.Somepeopleseemintimidatedbythemultipleblades appearing at perpendicular angles to one another, but the locks themselves tend to berelativelysimple.

Cruciformlocksareproducedbyanumberofdifferentmanufacturers.Aswehave seenwhenexploringother typesofpin tumbler lock (flat-bladekeystyle,tubularkeystyle)itispossibletoaddanti-pickfeaturestopinstacks,butsuchmeasuresareonlyemployedbycompanieswhowishtospecificallyfocusonsecurity.Manytimes,inanattempttolowerproductioncosts,locksareproducedusingthesimplestcomponentsand

assembled as quickly and cheaply as possible. Thepin stacks inside ofmost of the cross locks that I have encountered have no specialprotectionstomakethemresistanttopicking.Theonlyobstacle(anditis minor) comes from the fact that the keyway and pin orientationrequirestheusertohaveanonstandardapproach.

Manuallypickingacruciformlock

Itisoftenpossibletomanuallypickthisstyleoflockusingconventionaltools.Ifyouhaveatensionerthatcaneffectivelyapplyturningforcetothe plug and a pick tool that can reach inside (in these small, tightspaces a half-diamond pick tends to work well), one can feel around,seekingbindingpinstacks,settingpins,etc.Thiscanbealittlebitmoreofatediousprocessthanwithsingle-bladestylepintumblerlocks,giventhatthepinsmayhaveabindingorderthatmakesyoutraversearoundbetween the various channels multiple times. Still, it is possible.Personally,Ienjoyusingspecializedcrosspicksinstead.

Crosslockpicks

There are a fewvariations of the specialized tool that is oftenused inattacking cruciform locks, but nearly all of them involve very similarfeatures. There is a tubular shaft which can be used to apply somemannerofturningforcetotheplug,andthereareaseriesofpickingtips(often in the form of half-diamond picks or bits of stiff wire bearingdiamond-shapedbumpsattheirends)whichcanmoveinandoutoftheshaft.AtypicalcrosslockpickisseeninFigure6.37.

Figure 6.37 A typical cross lock pick. The four picking arms are attached to the rearplungerandcanmoveinandoutoftheshaft.Thecentralshafthassmallrodsonitstipthatcangripthekeyway,allowingtheusertoapplytensiontotheplugusingthelarge,roundhandle.

AscanbeseeninFigure6.37,thecentralshaftofthistool(whichtheusercontrolsbymeansofthelargeroundhandle)appliestensiontotheplug bymeans of small rods on its tip that fit into the keyway.Manycross lock picks come as kits with interchangeable shafts (see Figure6.38)thatallowtheusertoselectdifferentsizerodsinordertoobtainabettergrip in thekeyway.Longerrodsaresometimesnecessaryduetothefactthatsomecruciformlockshaveanextra“curtain”ofmetalbuiltintotheirfrontface,whichcanspinfreely(seeFigure6.39).Attemptingtoengagethisbitofmetalandturnwillnothaveanyeffectontheplug,hencetheneedforatoolthatcanreachmoredeeplyintothekeyway.

Figure6.38 Interchangeablecomponentsofacrosslockpick.Theroundtensioninghandlecanbeattachedtoatubularshaftfeaturingeitherlargeorsmallrodsinordertoengagevarioustypesofkeyways.

Figure6.39 Acruciformlockonthefrontofasafe.Theveryfirstpieceseeninthekeywayisafree-spinningplateofmetal.Applyingtensiontothatwouldhavenoeffect,thusacrosspickwithlonger“rods”atitstipisneeded.

Note

Therearesomehighlyspecializedcrosslockpickswhichdonotutilizesmallrodsattheendof

their tensioning shaft. Fabricatedwith large, flat blocks ofmetal (which often protrude out

past the picking arms), these picks are often designed for use in very specific locks, often

automotivelocks.Usingacruciformkeytostartyourcarormotorcyclemayseemstrangeto

individualsinNorthAmerica,butinotherpartsoftheworldthiscanbeseen.Picktoolsfor

this type of lock are often highly specific and not of great use when attempting to open

commonpadlocksordoorlocksthatusecruciformkeys.

Inmyopinion,crosspicksareamongtheeasiest lockpickingtoolsto

use.Beginbyextendingthepickingarmsoutbeyondthetubularshaft.Align the diamond tips with the channels of the keyway as shown inFigure 6.40 (their position doesn’t matter, as all four arms should befabricated equally from the factory). Insert them completely into thelock as shown in Figure 6.41 (you may need to pinch them togetherslightlywhen guiding them into the keyway). Then, bring the tubularshaft towards the lock face, aligning the rods with the keyway andinsertingthemintoeachcorner(seeFigure6.42).

Figure 6.40 A cross pick being prepared for use, with its four arms extended outwardbeyondthetubularshaft.

Figure6.41 Acrosspickwithitspickingarmsfully-insertedintothelock.

Figure6.42 Acrosspickwiththetensioningpieceinsertedintothekeyway.

Tellingsomeonehowtouseacrosslockpickisaboutaseasyastellingsomeonehowtousearakepick.DoyourecallhowinChapter2when

rakingwas introduced I expressed regret that therewasno formalizedprocess to raking that I could explain in a step-by-step manner? Thesameholdstrueforusingacrosslockpick.Indeed,thisisbecauseofthefactthatyouessentiallyusethetooltoperformarakingattackagainstallofthechamberssimultaneously.Applygentlerotationaltensiontotheplugbyturningslightlywiththe

picktool’slargehandle.Remember,aswithmanytypesofpicking,lightto moderate tension is the key… don’t turn too hard. With tensionapplied,grabtheplungerandpunchthepickingarmsinandoutofthelockveryquickly. Figure 6.43 attempts to illustrate these two actions,althoughnothing but a live-action video is likely to capture the speedwithwhichyoucanpunchinandout…nottomentionthespeedwithwhichthisattackcanopenthelockifyouaresuccessful.

Figure6.43 Acrosslockpickisusedbyapplyingslightrotationaltensiontotheplugandthenpunchingthepickarmsinandoutveryrapidly.

Sometimes, the lock will open almost instantly (see Figure 6.44).Sometimesitwilltakeadozenpassesorso.Inmyexperience,however,it shouldnot takemore than that. Ifyouhavenotexperiencedsuccessafter ten or twelve scrubbing movements, I would suggest thefollowing…slowlyremovethetoolfromthelock,takingcaretonoticeexactly how the picking arms are aligned with the chambers of the

keyway.Withthetoolremoved,rotateitninetydegreesandreinsertitinthemannershowninFigures6.40through6.42.Whatcanyouhopetoaccomplishbythis?

Figure6.44 Acrosslockthathasbeenpickedopen…youshouldfindthatit’softenquiteeasytodo.

Well, rememberhowI said that thepositionatwhichyou insert thetool (initially) should not matter, because all four picking arms arefabricated to be uniform? As you have seen time and time again(predominantly when we discuss the manufacturing of variouscomponents of a lock), nothing coming from a machine shop is everproducedwithabsoluteuniformityandperfection.Thevariousarmsofacrosspickmayhaveslightlydifferingdegreesofflexandstiffness.Howtheyperformineachchambermaynotbeperfectlyequal.Byexposingthepickingarms todifferent chambersand rowsofpin stacks,perhapsyou’ll get lucky and find one orientation more suitable than another.Thishashappenedtomealot,infact.I’lltrytouseacrosspickwithoutsuccess fora coupleofattempts, then turn thepickbyninetydegrees,andmynextattemptwillopenthelockalmostimmediately.Remember,in penetration testing it doesn’tmatter if you get in by skill, luck, orsomecombinationofthetwo!Beforewebringthissectiontoaclose,Ishouldsayawordaboutthe

varying styles and brands of cross lock picks. The term “brands” isperhapsabitgenerous,asmanyof these toolsareproducedby fly-by-nightcompaniesand soldonwebsitesand incatalogsknownmore forrock-bottomprices thanhighqualityproducts. Ihave foundcross lockpicks that I absolutely love. I have also come across ones that weremanufacturedsobadlyastobreakpracticallyonthefirstattemptmadetouse them. Inmyexperience,mostcross lockpicksarebasedaroundtwodifferentcompanies’designs.(Themarketisflooded,ofcourse,withno-nameknockoffscopyingeachofthesedesignsingreatquantity.)The KLOM company (and all those who have copied their design)

producesacrosslockpickwithanicearrayofinterchangeabletensiontips,butthetensionerhandleoftheirtoolismadeofplastic.ImanagedtocompletelystripthechannelfortheretainingscrewwhenIattemptedto switch tips and tighten the handle in place. An alternate design,offered by the GOSO company (and all of their competitors who arecopyingtheirdesign)hasamuchhigherqualitytensionhandlemadeofsteel… however, this pick tool doesn’t always come with variedtensioningtips.Figure 6.45 tries to give you an impression of the differing handle

shapes,whichcanserveawayofdistinguishingwhichtypeoftoolyoumaybepurchasing if you shoponlineor through supply catalogs.TheKLOM plastic handle is shown on the left. The GOSO steel handle isshownontheright.Intheend,ifyouarereallyinterestedincrosslockpicks,perhapsthebestplanistoacquireboth…andusetheKLOMtipswith theGOSOhandle.Aswithall lockpicking tools, someof thebestonesarethosethatyoufabricateandtweakyourself.

Figure6.45 Twodifferenttensioninghandlesforcrosslockpicks.Thehandleontheleftisallplasticandpotentiallyweak.Theoneontheright is steel,and(inmyexperience) ismuchstrongerandofahigherquality.

DimpleLocksSomepeoplemayfinditoddthatthisbookhasnotcoveredthetopicofdimple locksuntilnow.Perhapsthat’sasymptomofmybeingfromtheUnitedStates…while this styleof lockmaybequitecommoninotherparts of theworld (indeed, I have evenheard this lock called a “Eurokey”style,anameIamnotcrazyaboutduetotheobviousimplicationsofgeographicnarrow-mindedness), it isnotvery typicalwhere I comefrom.Dimple locks bear this name because of the manner in which the

bittingcutsareformedontheirkeys.Insteadofnotchescutintothethinedgeof thekeyblade,holesaredrilled into the flat surfaceof thekeyblade. A simple dimple lock that perfectly represents this style ofmanufacturingcanbeseeninFigure6.46.Whilethismayappeartobeaveryinnovativedesign(andtosomedegreeitis;Idon’twanttodiscountthemultitude of dimple locks out there that are verywell-engineered

andmonsterstopick)itisimportanttounderstandthattheunderlyingmechanism within such locks is still just plain pin tumbler stacks. (Ifpeered into the keyway at the right angle andwith good lighting, thepins can be seen, as shown in Figure 6.47.) Without any additionalprecautions taken by manufacturers, these locks can be picked in thesamemanneraspintumblerlockswith“vertical”keyways.

Figure6.46 Adimplestylelock.ThisparticularlockisfromJapan,althoughdimplekeyscanbeseeninanumberofregionsaroundtheworld.TheyarelesscommoninNorthAmerica,however.

Figure6.47 Whilethekeyandkeywaymayseemhighlyunconventional,holdingthelockattherightangle(andshiningalightintherightspot)canoftenrevealthesimple,regularpintumblersfoundwithin.

Becauseoftheorientationofthekeywayondimplelocks,traditionallockpick tools are rarely useful. There is a whole wide range ofspecializedtoolsthatexistforthepurposeofpickingdimplelocks.Mostdimplepickshavethelookofsmallflagsorgolfclubs(seeFigure6.48),andtheyareusednotbyrockingorraising,thetechniquesthatwerefirstseen in Chapter 2, but are instead inserted into the lock and rotatedalongtheir longaxes.Thisallowsthesmall“flag”tipstocatchandliftsome of the pin stacks. There are also rake tools designed for dimplelocks;thetipsoftwosuchtoolscanbeseeninFigure6.49.

Figure6.48 A seriesofdimplepicks.On the right is a closer lookat the tipson twoofthesetools.

(Photocourtesyofdatagram.)

Figure6.49 Acloserlookatthetipsoftwodimplerakes.

(Photocourtesyofdatagram.)

I stated that these lockscanbeoftenpickedwhenmanufacturersdonottake“anyadditionalprecautions”liketheoneswehaveseenbefore,mosttypicallyinChapter4.Itshouldbeunderstood,however,thatmanymanufacturers of dimple locks do take security quite seriously. Pick-resistantpinsarequitecommonindimplelocks,and(inmyexperience)they tend to be fabricatedwith great imagination and creativity. (Thestyles of pins that Han Fey calls “sneaky pins” which were alsoreferencedinChapter4wouldberightathomeinmanydimplelocks.)Furthermore, the overall fabrication of dimple locks and dimple keystends to be handled in a manner that shows great attention to tightmechanicaltolerancesandprecisionmachining.Dimplelocksarenotimpossibletopick,buttheywilloftengiveyoua

verysignificantchallenge.EvenwithspecializedpicktoolssuchasthoseseeninFigures6.48and6.49,itcanbedifficult.Tacklingadimplelock

that lacks any special pick-resistant features, however, is likely to bewell within your skill range if you have proceeded through all of theexercises that this book has suggested thus far. It can even be donewithoutthepurchaseofexpensive,specializedpicktools.MyassociatesandIhaveattackedcheapdimplelockswithentirelyimprovisedtoolsinthe past. A half-diamond pick makes an adequate dimple lifter in apinch.Somepeoplewillevencarveasparehalf-diamondpickslightlytomakeitmoreeffectiveinthisvein.Ialsohaveonebrokenpickwithmeinmylargetoolkit that Ibent intoawaveshape inorder tomakeanimpromptu dimple rake. Such improvised tools can be seen in Figure6.50.Whiletheyaren’tverypretty,theycanstillbeeffectivefromtimetotime.

Figure6.50 Improviseddimplepicks.Thewavyrakewasmadefromabrokentoolandthelifterpickisahalf-diamondthatIcarvedslightlywithahandfile.

TheSecretWeaknessin90%ofPadlocksThereisonelastsecrettipIwanttosharewithyou.Ididn’tchoosetorevealthisearlyoninthebookbecauseIwouldn’twantanyonetakingashortcutmethodtoopeningeverylocktheysee.Iwantedyoutolearn,Iwanted you to practice.However, having read this far…you cannow

learnthesecretvulnerabilitypresentinthevastmajorityofpadlocksonthemarkettoday.Often,allthatisneededisapapercliporstiffpieceofpianowiretoattacklockswiththisweakness.Howoftenhaveyouseensmallholesinthebodyofapadlock?These

arevisibleonmanypopularmakesandmodels.Theymaybeindifferentpositions, but they are almost always present. Many such holes areshown in Figure 6.51. Would you like to know what these are, whatpurposetheyserve,andwhatweaknesstheyprovide?

Figure6.51 Small, nondescript holes are found on the body ofmany padlocks. Do youknowwhattheyarefor?

I am so sorry to disappoint you,my dear readers. These are simplydrainholes,andnothingmore.Whenexposedtotheelements,padlockscan accumulate water due to rainfall or even condensation runningdown the shackle. This water could pool inside the lock, potentiallyresulting in jamming or fouling… particularly in cold climates. Byhavingholessuchasthisinthebodyofthelock,waterisabletodrainout.Idohopeyoucanpardonmeforthisbitofdarkhumorattheendof

the book. However, it is here with a twofold purpose. First of all, Iwantedafunandamusingwaytodispelalloftherumorsthatcirculate

concerning these holes. I have heard highly uninformed people makeincredibly grand claims over the years concerning drain holes. I haveheard them described as places where “master override keys” can beinserted.Ihaveheardthemlinkedtotheoriesabouthowalockmightbedisassembled. I have heard themdescribed as “anchoring points” usedbyfactorymachinerytoholdandalignworkpiecesduringproduction.Noneofthesetheorieshasanybasisinfact.

SummaryThesecondreasonthatIchosetoclosewiththishumorousnotionistoreinforce a universal truth about lockpicking… the only tried-and-truemeansofopeningmostofthelocksthatyoucomeacrossistopractice,practice, practice. Becoming a great lockpicker is no different thanbecomingatalentedmusicianoraskilledathlete.Itdevelopsovertime,withhardworkanddedication.Itrulyhopethatthatthisbookhasgivenyouasolidfoundationofknowledgeuponwhichyoucanbuildandthatthesuggestedtechniquesandexercisesofferedinthesechapterscanhelpyoutobecomecomfortablewithyourtoolsandtactics.Ifyouhavehadfunreadingthesepagesandtryingmysuggestions,hopefullyyouhavedevelopedanewhobbyandyou’llkeepatit.Overtime,thisuniqueandfascinating skill set can become a part of your vocational life if youperform penetration testing work… and it can be a very entertainingleisurediversionforyouandyourfriends.

1Whilethetermscruciformandcrossarerelativelyinterchangeable,dependingonhowfancy

onechoosestobeinreferencingtheshapeofthekeyway,thename“Zeisslock”isless

accurate.Muchinthewaythename“Chicagolock”isnolongerasuitabletermfortubular

locks(sincethatoriginalmanufacturerhasnowbeenjoinedbynumerousothersinthe

marketplace)thename“Zeisslock”isareferencetooneofthepioneersofthisdesign…but

thatcompanyisnolongerthesoleproducerofthisstyleoflock.Ihighlyrecommendthat

peopleusetermsthatreferencetheshapeofthekeywayinstead.

APPENDIX

GuidetoToolsandToolkits

ChapterOutline

GuideToDifferentiatingPickToolsANoteAboutTensionToolsPickKitSuggestionsConclusion

Thisfinalsectioninthebookisdevotedtodiscussionsoflockpickingtools…whatwecallthem,howtochoosethem,andhowtocarrythemwhere they’re needed. There are a number of different companiesproducinglockpicks.Thequalityoftoolsonthemarkettodaycanvaryagreatdeal…however,itshouldbeunderstoodthatmuchofthevariationfrom one supplier to the next pertains to very intricate details ofmetallurgy.Often,it’snotamatterofqualityasmuchassuitability.Toolsthatonepersonfindsusefulmightnotbepopularwithsomeoneelse.It’samatteroftaste,whichisoftentiedtoindividualskill.Peoplewhoarejuststartingoutlearningtopicktendtodowellwith

toolsproducedusingspringsteel.Thismetalhassomeflexandgivetoit, and it is a littlemore forgiving of rough handling, evenwhen thinstock isused toproduceequipment.Lockpickerswithmoreexperienceare usually fans of pick tools that are stiffer, as this can offer bettertactile feedback when someone has learned to “see with their hands”

duringlockpicking.Toolsmadeofhardenedsteelareoftenpopularwithprofessional lockpickers. One vendor, Peterson Tools, touts their“government steel” tools as being particularly stiff. The companySouthernOrdinance (commonly known as SouthOrd),which is usuallyknown for selling medium-quality spring-steel equipment to novices,breaks from their normal routinewith their “MaxYield” line of picks.Designed for finely-skilled hands, these tools are also quite stiff. Myfavoritevendorofpick tools is theChicago-basedcompanyHPC.Theirdistributionnetwork tends tobemore restrictive,withonly locksmithsand recognized security professionals able to obtain HPC picks (theRytancompanyhasasimilarpolicy),buttomethequalityissecond-to-none.Boththespringsteelandthestainlesssteel lineofHPCtoolsareparticularlystiff,dueinparttoslightlygreaterthicknessofmaterialontheir spring steel equipment. This is a smart tradeoff, inmymind. Bythickening their picks slightly, HPC offers equipment in a forgivingspringsteelthatstillperformslikea“stiffer”hardpick.Most lockpicks are made from metal that is 0.020 inches thick.Southern Ordinance, Rytan, and a wonderful outfit named SouthernSpecialties all produce picks of this size. The HPC Company’s line ofstainless steel picks also tends to be 0.020 inches thick. HPC’s springsteel picks are offered in 0.022-and 0.028 inch thicknesses. If you aredoingmuchofyourworkinNorthAmerica(wherekeywaystendtobelessnarrowandwith less challengingwarding), their thickerpicksareterrific,inmyview.Whendesigningtheir“EmergencyCreditCardpick”(whichwill be discussed in the section onpick kit choice later in thischapter),TheOpenOrganizationOfLockpickersoptedtousemetalthatis0.025inchesthick…afineaveragethatservesallneedsratherwell.Asyoubecomemoreskilledyoumayfindyourselfwishingforstifferlockpicks thatoffergreater tactile feedback.Youcan seekout supplies

fabricatedwithhardermaterials,purchasethickerpicks,oryoucantryto modify your existing tools. Heat-treating your steel picks bytemperingthemwithatorchuntilthemetalglowsadeepredcolor,thenquenching them in oil is an effective way of increasing stiffnesssomewhat.Another solution is to seekoutpickswithmetalhandlesasopposed to plastic or rubber ones. (The exception to this rule arelockpicks thatare fabricatedbyLegion303. Ifyouare luckyenough tocomeacrossoneofhiscustom-madesets somehow, itwillbe instantlyobvioustoyouthatthehandlesaremadeofabakedplasticmaterialyetthey perform like ceramic or metal. That is part of the magic of hisprocess.)

GuideToDifferentiatingPickToolsOne thing that has been a significant source of confusion amonglockpickers (both within the sportpicking and hobbyist community aswellas thosewhoareprofessionally in the locksmithing trade)are themultitude of names that exist for all of the pick tools in common usetoday.Somepicktoolsareknownbyasmanyasfiveseparatenames…afactthatcancausenoendofheadacheswhendiscussingtoolkitsamongfriendsorattemptingtoplaceordersforpicksfromsuppliers.Ifyoudon’tthinkittoopresumptiveofme,Iamgoingtoattempttobringsomeordertothechaos.Ihavedonealotoftraveling,lecturing,andcollaboratingwithlockpickersandlocksmithsaroundtheworld,allthetimepayingcloseattentiontowhatnamestheyusedwhenreferringto their tools. I have asked my friends and associates what the mosttypicaland/ormostappropriatenamesareforallofthepicksinourtoolkits. The results of these years of dialog are assembled here. This listshall (hopefully) represent some of the most-accepted names forcommonlockpickingtools.

I have no wish to impose a draconian ultimatum across thelockpickingworld,butitwouldbereallyniceifsomeofthevendorsoutthere would consider referring to products using the terms that thecommunityhasadopted,asopposedtorelyingexclusivelyonthearcaneseriesofmodelnumbers andproduct codes that continue toappear incatalogs.

Thickandthinshafts

Oneoftensees some toolsdescribedas“Euro”or“Thin” incontrast toothersreferredtoas“Standard”or“Plain”insomefashion.Duetohowthesetermsareworded,manypeoplecometobelievethatvendorsusemetal stock of differing thicknesses when fabricating such equipment.That is rarely the case. As mentioned in the above section, mostmanufacturersofpicktoolshaveaveryspecificthicknessofmetalandtheyuseitforallproducts.Most“thick”and“thin”tools(whenthey’reofferedbythesamevendor)aredistinctonlyintermsofthesizeoftheirshafts (that is, theportionofa lockpick inbetweenthehandleandtheworkingtip).LookatthetwotoolsshowninFiguresA.1andA.2.Thedifferencein

their profiles is the only thing that makes them either “euro thin” or“standardsize”…themetalstockusedisthesameinbothcases.

FigureA.1 A“plain”sizedpick,whichwouldworkinmostlocksbutcouldencountersomedifficultywhenfacingalockwithaverythinkeywaywithtightwarding.

FigureA.2 A“thin”or“euro”stylepick.Everythingaboutthispickisexactlythesameasthepickabove,saveforthethicknessoftheshaft.

Hookpicks

Sometimescalled“lifter”picksor“finger”picks,themostcommonandwidely-acceptednameforsuchtoolsisjusttheterm“hook”.ThesetoolsappearinFiguresA.3throughA.8.

FigureA.3 ShortHook(flattopvariant)—Thename“ShortHook”(or“SmallHook”)getstossedaroundalotwithnoofficialstandardattachedtothattitle.Iwouldproposethattobea“short”hook,theworkingtipmusthaveanoverallrisethatisnomorethan150%thethicknessoftheshaftwhereitmeetsthetip.Thisshorthookfeaturesaflattopandthetiprisestoaheightthatis100%thethicknessoftheendoftheshaft.

FigureA.4 ShortHook(roundedtipvariant)—Iwouldstillcallthisa“ShortHook”duetothe fact that its tip (despite being rounded andhaving a littlemore size than thepick shownabove)stilldoesnotrisemorethan150%ofthethicknessoftheendoftheshaft.

FigureA.5 MediumHook—Anyhooktoolwhosetiprisesbetween150%and200%ofthethicknessoftheendoftheshaftIwouldcalla“MediumHook”.

Figure A.6 Gonzo Hook—Particularly popular among the European sportpickingcommunity, the “Gonzo Hook” is named due to its particularly deep curve and rounded tip(giving it theappearanceof thenoseof thepopularMuppetcharacter).AGonzoHook, inmydefinitionhasatipwhichrisesbetween200%and250%ofthethicknessoftheendoftheshaft.

FigureA.7 LongHook—IdonothavemuchloveforhooktoolsthatareanylargerthanaGonzo.Thistool(whichisalsooftencalleda“LargeHook”,a“DeepHook”,ora“UselessHook”)mighthelpyououtifyouareattackingcertaintypesofPostOfficelocksorattemptingtopickyour way out of handcuffs. Other than that, it serves little purpose and should really stopshowingupinbeginnertoolkits.(FullDisclosure—whenIwas juststartingoutgiving lecturesandsuch,thistoolwouldsometimesappearinpickkitsthatIhadwithme.ItriedtomakeupforthatovertheyearsbyteachingpeoplehowtomodifyitintoapassableGonzo.Yougrindaboutonemillimeteroffthetipandroundtheedges.)

FigureA.8 GemHook—Ahookpickwhosetipisneitherflatnorrounded,butinsteadhasapointed rise sticking upward. This pick is highly popular among some people in Peterson’s“SlenderGem”variant.

Diamondpicks

Useful as either individual lifting toolsor for raking across pin stacks,diamond-shaped picks come in a handful of sizes and styles. DiamondtoolsareshowninFiguresA.9throughA.12.

FigureA.9 SmallHalfDiamond—Everykit shouldhaveat leastonehalfdiamond. Inmyview,tobeaproper“halfdiamond”atoolmusthaveastraight,flatundersurface.Thisparticular

toolisa“small”halfdiamondbecauseitsworkingtiprisesnomorethan50%ofthethicknessoftheendoftheshaft.

FigureA.10 MediumHalfDiamond—Thistoolissimilarinshapetotheoneabove,butitsworkingtiprisesbetween50%and100%ofthethicknessoftheendoftheshaft.Somepeoplemightmistakenlycallthisa“large”halfdiamond,butIdonotfeelthattermapplies…seebelow.

FigureA.11 LargeHalfDiamond—Besides the fact that theworking tip risesmore than100%ofthethicknessoftheshaft(I’veseenupto150%thesizeintermsoftiprise.Anythingbeyondthatseemssillytome),whatmakesthistooldistinctisthedifferentshapeofthehead.A“large”halfdiamondoftenhasasteeperslopeonitsfrontfacethanthe“medium”and“small”variants.

FigureA.12 DiamondHead—Iusedtoseethistoolincatalogsonceinawhile.Thankfully,I do not see it anymore.Utterly no onewithwhom I have ever spokenhas considered this ausefultool.

Rakepicks

Ihaveheardsomeindividualsinsistthatoneshouldnotcallthesetools“rakes”.Themotionusedwiththesetoolsis“raking”theywillinsist,butthe tools themselves go by other names. Ignore this argument, please.People who are recognized and respected in the lockpicking worldtotallydisregardthisassertion.Theterm“rake”isthemostappropriatename for such tools. There is a hugemarket for one-off, experimental

conceptrakes…butFiguresA.13throughA.18representthevastbulkofraketoolsthatonewillseeincatalogsorinlockpickers’kits.

FigureA.13 SnakeRake—consistingofan“up,down,up,down”shapeinsmooth,curvedprofileswith a rounded tip… this is oneof themost popular raking tools and is producedbyessentially every vendor. SouthernOrdinance confusingly calls this a “CRake”whilePetersonToolsdesignatesitasa“DoubleRake”.

FigureA.14 Three-QuarterSnake—Similartotheclassicsnakeraketoolshownabove,butthis rake pick only features an “up, down, up” shape. HPC and Rytan are some of the onlyvendorsofwhichIamawarethatproducethistool.

FigureA.15 HalfSnake—Thisisnotnearlyascommonaraketool.It’sbasedonthemain“snake”designbutfeaturesonlyasingle“up,down”curvatureinitsshape.

FigureA.16 DoubleSnake—Asfaras Iknow,PetersonTools is theonlymanufacturerofthistool,whichtheycalla“QuadRake”.

FigureA.17 StretchedRake—Takingthe“up,down,up,down”motif inanewdirection,

this tool makes an appearance every so often. Some people call this an “S Rake” due to itsstretchedsize,butthatlabelisusedbySouthOrdforadifferenttool.

FigureA.18 Batarang—Namedasanhomagetooneof theCapedCrusader’smostusefultools,thisverypointyrakeiscalledan“SRake”bySouthOrd.SouthernSpecialtiescallsthisa“Camel Back” tool. Trust me, however, to the lockpicking community this will always be a“Batarang”.Itisnotahighlypopularrake,however,giventheparticularlybadweaknessinitsdesign. I’ve seen the tipof this rake snapoffanumberof timeswhensomeonehandles it tooroughly.

Jaggedlifters

Many people would simply classify the tools shown in Figures A.19throughA.23 as “rakes”…and some can indeed be used as rake toolsquite effectively in many instances. However, the original purpose ofsomeofthesedesignswastoapproximatesomeofthemostcommonkeybittingpatterns.Byinsertingoneofthesetoolsintoalockandliftingitintothepinsvertically(perhapsatvariedangles),onecansometimesgetlucky and catch most (or all) of the pin stacks at the shear line.Nowadays,mostpeopleusethecombinedrapidlifting/rakingtechniqueof“jiggling,”whichisexploredinthesubsequentsection.

FigureA.19 WedgeRake—Thistoolisdefinitelyacontenderforthe“leastusefullockpick”award,inmyopinion.Oftencalleda“WRake”,Iknowofnoonewholikesthistoolorwhousesit with any regularity at all. In the Brockhage catalog, this is referred to as a “Short Jag”.SouthernSpecialtiescallsita“Ramped”tool.

FigureA.20 LongRake—Somepeoplecallthisan“LRake”or“ComputerGeneratedRake”(but I know of no evidence that this design is a product of algorithms or crazymath). Somepeoplelikeit.Idon’thaveoneinmykit,butIdon’tthinkit’sparticularlyhorrible.Brockhagecallsthisa“LongJag”,whileSouthernSpecialtiesreferstoitasa“SawTooth”.

Figure A.21 Falle Slope—Unlike the “Long Rake” shown above (which some peopleconsider tohavebeendesignedusingcomputermodeling,withoutevidence to thateffect),wehaveitongoodauthoritythatJohnFalledesignedhisjaggedliftertoolsafterextensiveresearchand computer modeling. This tool and the two that follow in Figures A.22 and A.23 arespecializeditemsthatattempttomimiccommonkeybittings.

FigureA.22 FalleValley—Another John Falle tool that can be lifted into a pin stack atvariedanglesinthehopesofsettingallthepins.

FigureA.23 FalleHump—Knownaffectionatelyasthe“LongRimple”bymyDutchfriends,thisisaJohnFalledesignthatIparticularlylike.UnliketheSlopeandValley,thisFalletoolcanbeaneffectiverakeaswellasa lifter.Thisnicknameshouldnotbeconfusedwith the term“LongRipple”whichisusedbyPetersontorefertoatoolthatissimilartoeitheraLongRakeoraFalleSlope.

Jigglerpicks

Many of the tools in this section are creations of the wildly talentedindividualknownasRaimundo.The“Bogotá”pickthathecreatedyears

ago spawned awhole family of related toolswhich are typically usedwith the elliptical raking/jiggling motion described in Chapter 3 inFigure 3.38. To be a proper “Bogotá” pick, however, a tool must befabricated using Raimundo’s unique process of rounded edges, highpolish, and feature an unconventional, angled handle. Figures A.24throughA.31representtheRaimundofamilyofJigglerpicksalongwithsomeaffiliateditems.

Figure A.24 Bogotá—The new design that started quite a trend, three humps withundercutting and a consistent, even overall thickness. High polish and rounded edges on allsurfacesareacharacteristicofall“proper”attemptsatduplicatingtheRaimundostyle.

FigureA.25 WaveJiggler—Thisisbasicallyaknock-offoftheoriginalBogotádesign,withsimilarspacingbetweenhumpsbutfabricatedjustfromstamped,flatmetalwithnohighpolish.Thesetoolsareoftenincorrectlycalled“Bogotás”(thatnameistrulyreservedforthetoolsthatgettheRaimundofinishingtreatment).Sincethename“WaveJiggler”canseemabitawkward,Iamokwithpeoplecallingthisa“pseudoBogotá”or“knockoffBogotá”…sometimesthetermtongue-in-cheekterm“Faux-gotá”isused.

Figure A.26 Raimundo Single Hump—Sometimes called a “Bogotá half diamond” or“Raimundo half diamond”, I don’t like that term. A half-diamond is a pick with a fully flatunderside, inmyview.Whenproduced as a simple, flat pick, the vendor Southern Specialtiescallsthisa“HollowHalfDiamond”.

FigureA.27 RaimundoDoubleHump—AnotherpopularvariationintheRaimundofamily.Ionceheardthiscalledacamelpick.Hah,doesthatmakethepickinFigureA.26aDromedary?

FigureA.28 Raimundo Quad Hump—Yet another Raimundo variation. Both the “TwoHump”and“QuadHump”arefarlesscommonthantheoriginalthreehumpBogotá.

FigureA.29 Sabana—Inareview1byJohnKing,thistoolseemedtoperformaboutaswellasthe“SingleHump”…the“QuadHump”outperformeditsomewhat.

FigureA.30 Monserate(Fore)—Inthatsamereviewreferencedabove,thispickperformedvery well, for both experienced pickers and novices. The Monserate picks are unique in theRaimundofamilyinthattheydon’thaveundercutsintherearwardpositions.

FigureA.31 Monserate(Aft)—Thecompanionpiecetotheoneabove,thisisjustaslightshift.IthasbeensaidthattheseMonseratepicksareavariationontheKingandQueendesign(describedinthelastentryofthissectionoftheAppendix).

Ballpicks

Ball picks are sometimes used to attack wafer locks. While I can

appreciate the means by which a Snowman style ball pick can beemployed in this manner, personally I tend to rake such locks or usewafer jiggler toolsasdescribed inChapter2.ThehandfulofballpicksthatonesometimesencountersareshowninFiguresA.32throughA.35.

FigureA.32 BallPick—Thistoolappearsinallsortsofkitsandonthepopular“jackknife”toolkit.Somepeopleclaimtheyuseitonwaferlocks.Itendtothinktherearefarmoreusefultoolsthatcouldbepartofyourinventory.

FigureA.33 Snowman—Alsocalleda“DoubleBall”pick,thistoolispopularforattackingwaferlocks.Iprefertojustrakesuchlocks,butifyouwanttotryto“lift”individualwafers,thistoolcanhelpyoudothat.

FigureA.34 HalfBall—Itreallyseemslikesometimespeoplewhogetintothebusinessofmakingpicktoolsproducewhateverpickstheycancopyfromexistingdesigns,thentryto“setthemselvesapart”byscratchingtheirheadandsaying,“Well,Isupposewecouldmakethis.”IallbutguaranteethatsomeonetookanexistingCADdiagram,drewastraightvector line,cuttingoffpartofthetool,andsaid,“Hey,look!Ijustmadeanewpick.”Ihaveneverseenanyoneusethistool…ever.

FigureA.35 Half Snowman—Like a full size Snowman, this tool can also help to “lift”individualwafersinalock.Again,Iwouldthinkthattherearefarsuperiortoolsoutthere,but

somepeopleliketokeepatleastoneSnowmantypepickintheirkits.

Curvepicks

Auniquetypeofdesignwhichisdifficulttoclassify,theseareessentially“hook”picksdesignedforlifting,buttheirshapeissodistinctthatIfeltthey merited their own category here in this guide. These picks areshowninFiguresA.36andA.37.

FigureA.36 DeepCurve—For the longest time, toolsof thisprofilewereunique toFallesets.Otheroutfitsareproducingthemnowadays,however.Petersonseemstomakeaversionofthiswhichtheycallthe“Reach”tool.

FigureA.37 Hybrid—Somethinginbetweenatypicalhookandacurvetool,thisisapickwhich I saw once in someone’s kit that had been designed by an individual known asLockNewbie. The craftsmanship was terrific and great care had apparently been taken in thefabrication,polish,andfinishing.

Offsetpicks

A number of vendors offer pick tools that appear to have traditionalshapesatthetipofashaftwhichhasbeenbentatapproximatelytwentydegrees at a point maybe a half inch back from the tip. My friendScorchepointedout that thesearealso calledDeforestpicks.TheyareshowninFiguresA.38throughA.40.

Figure A.38 Offset Diamond—A half-diamond top on the end of an offset shaft. ThePetersoncompanycallsthese“HookedDiamonds”.

FigureA.39 OffsetBall—Ahalf-balltipontheendofanoffsetshaft.

FigureA.40 OffsetSnake—Itwouldseemtomethatthiscouldmakerakingmoredifficult,butI’veseenthistooloutthere.

KingandQueen

These are two very interesting styles of lockpick. They are instantlyrecognizable, due to their having an appearance unlike any other youarelikelytosee.Theseare“bittingapproximation”toolsmuchliketheitemsdescribed in the “JaggedLifters” sectionabove.However,unlikethose previously-mentioned tools, the King and Queen picks (whichappearinFiguresA.41andA.42)areneverreallysuitedforanykindofrakingattempt.Theirsharp,extremeanglescanjamwithinthelockandtheyarenotrobustenoughtowithstandsuchfeverishmovements.

FigureA.41 KingPick—Usedasakeyapproximationtool,aKingpickisliftedintothepinsandthenturningforceisappliedtotheplugusingatensiontool.Ifthelockopens,great.If itdoesn’t…onetotallyreleasespressure,alignsthepickdifferently,liftsitslightly,andtriestoturnagain.ThesametacticisusedwiththeQueenpickshowninFigureA.42.

FigureA.42 QueenPick—Thecomplementary tool to aKingpick.These two toolsweredeveloped by taking all available data about common key bittings and distilling it down tomerelyapairofpicks.Theseareoftenthoughtofas“lastchance”tools,butsometimestheydoindeedwork. Locksport key figure Schyuler Towne used one successfully during his first everattemptintheGringoWarriorlockpickingcompetition.

Extractors

This last entry of this section does not show a lockpicking tool. ToolssuchastheoneshowninFigureA.43are,rather,extractor tools.Pleaseunderstand what these are. They are not used for picking locks, butrather they are designed to help locksmiths remove broken keys andotherfoulingfromwithinalock’skeyway.Whilethesetoolsmaymakeanappearanceonceinawhileinaprepackagedtoolkit(afterall,theyareusefultocertainprofessionalsworkinginthefield),theyareofverylimitedusetopenetrationtesters,hobbyistpickers,etc.Itmaybeagoodideatokeeponearoundinyourkitjustincaseyousnapapickduringalivepentest,butdon’taccidentallyreachforitwhenyou’restartingoutand learning,because it isnotapickandshouldnotbeused to liftorscrubwithinalock.

FigureA.43 Broken Key Extractor—This might look like a Half Diamond tool at firstglance,but it isnot.Unlessyouareapracticinglocksmith,thereisalmostnochancethatyouneedthisinyourkit.

ANoteAboutTensionTools

AswastoucheduponinChapter2,Iwouldliketoagaintakeamomenttopointout themultitudeof terms thataboundforarelativelysimplepiece of equipment and seek to begin a dialog among lockpickersregarding what phrasing could be most appropriate. Throughout thisbook,thetexthasmadereferenceto“tensiontools”orjust“tensioners.”(Iusethosetwotermsinterchangeably.)Manylocksmithsupplycatalogswillrefertothesepiecesofequipmentas“tensionwrenches”andthereforethistermhasbeenadoptedbymanyinthelockpickingcommunity.Particularlysavvyindividualsarekeentopoint out that while this particular tool can cause tension within thelock, you’re not reallyapplying tensionwith it…when picking a lock,youareinfactapplyingtorsion.Theterm“torsiontool”andalso“torsionwrench” therefore is commonly heard, particularly in debates aboutnamingconventions.Duetothefactthat“torsion”isafarmoreobscureword,particularlytonon-nativeEnglishspeakers,occasionallyyoumayhearsomepeoplevoicesupportforamoreaccessibleterm,callingthisa“turning”tool.Ibelievethatthedebateregardinghowtomostappropriatelydescribethephysics of what is happening has merit, and I appreciate those whowould devote time and energy toward making “torsion tool” a moreacceptedandunderstoodlabel.However,itistheword“wrench”whichI feel does the greatest disservice to those who are learning to picklocks…anditisthistermthatdrawsthebulkofmycriticismandeffortsforreform.Inadditiontosometimesbeingacatalystforreallymuddledterminology (as I said once before in Chapter 2, every so often you’llhear a person mistakenly say “torque wrench” which is a whollyinappropriate term… that would never happen if “wrench,” weren’t apart of the dialog to beginwith), theword “wrench” simply gives thewrongimpressiontonovices.

Inthepublicmind,awrenchisatoolthatisusedtogripsomethingtightlyandapplyconsiderable turningforce.That is justnotthecaseinthe world of lockpicking. In the interest of discouraging excessivemanualpressureonthepartofthosewhoarelearninghowtopick,Iaskyou to join me in trying to expunge the word “wrench” from thelockpickingvocabulary.Thedebateover“tensionversustorsion”isstillagoodone,andshouldcontinueovertime…butthat’samatterofmuchfiner degree. Ultimately, as long as people know what you’re talkingaboutthepubliciswellserved.Theproblemwiththeword“wrench”isthatsooften,particularlyamongnewlearners,peopledonotunderstandyourexactmeaningandthis leads to frustrationandheadachethatwecanallhelptoavoid.

PickKitSuggestionsLockpickerscarry theirequipmentaround in toolkitsofwidelyvaryingsizes and styles. As you become more experienced and come toappreciatespecifictools,yourpersonalkitwillundoubtedlyevolveandgrow over time. My own toolkits have undergone a great deal ofevolution over the years. However, I feel that I have settled intosomething of a helpful routine andwish to sharemy discoverieswithyou in the hope that you might be able to develop your own toolcollectionwithminimalcostandwastedinvestment.Most pickkits, I feel, canbe thought of in specific categories. Somemight travelwith you almost all of the time,while others can remainwith your work supplies exclusively. The following list shows thelockpickkitsthatIrelyonindailylife.

Typicalkit

ThekitshowninFiguresA.44throughA.46istheonethattravelswith

meeverywhere,butwhichisnotalwaysdirectlyonmyperson100%ofthetime.It’stypicallyinthesmallbackpackthatIalwayscarry,whichcontainsmylaptop,MP3player,camera,etc.Forabasic“everyday”kit,my favorite design is the zipper-style case offered by a number ofvendors.Personally,IbelievethebestonetobemanufacturedbyHPC,since their kit contains additional fold-out flaps that offer a few extrapockets.ThekitIownwascustom-made,butintheHPCstyle…

FigureA.44 Mybasic,everydaykit.Itmeasuresabout6”x2½”.

FigureA.45 Theassortmentof tools that I carry inmyeverydaykit.Theadditional flappocketsareinvaluable.

FigureA.46 Icarryasmallassortmentofhooks,rakes,andacouplehalfdiamonds.Awiderangeoftensiontoolsarealsowithme(thatdouble-endedtoolshownatthetopmiddleofthisfigureisknownasa“PetersonPrybar”andit’soutstanding)alongwithasetofjigglers.

Iknowsomepeoplewhoclaimthataselectionsuchasmineshowsa

lackofcommitmenttoefficiency.Somelockpickersarefansofpushingpeople to consider a “small” pick case (themost commonones in thisstylehaveonlyoneor twopocketsand typically snap shut, seeFigureA.47)becauseitforcesthemtochooseonlythetoolsthatareabsolutelynecessary.Icanrespectthatlineofthinking.

FigureA.47 This is a smaller kit, featuring the barest essentials that Iwould choose tocarry.Ashorthook,aGonzohook,ahalfdiamond,asnakerake,andaBogotá…nexttoabouteighttensiontools.AmongthemisthatfabulousPetersonPrybar.

Carkit

Ifyouareinterestedinusinga“small”kitasyoureverydaytoolset,thebestwaytoresisttheurgetocramasmuchaspossibleinthereistopairthiswitha largerkit thatyoukeepnearbybutnotwithyouallof thetime.Iwouldcallthisacarkit,sinceItypicallyhavesomethinglikethetoolpackshowninFiguresA.48andA.49inmytruckwhereverIgo.

FigureA.48 Anicebi-foldortri-foldpocketedcaseworkswellasacarkit.

FigureA.49 In a car kit, I would typically recommend carrying a few extra hooks andrakes. Perhaps add in a spare half-diamond if that’s a tool that you treat with some roughhandling at times. Give yourself extra tensioners, especially if you loan them to friends onoccasion.Intheextraroomaffordedbyacarkit,I’dsayit’sagoodideatokeepasetofjigglertoolsaswellasatubularlockpick.

Bigkit

Ifyougetseriously into lockpicking,you’regoing toeventuallyreachapointwhereyouhavesomanytoolsthattraditionalkitsdon’tworkforyou. I’ve seen some folk address the situation by putting a series ofsmaller kits (sometimes with labels on them) inside of a travel caseotherwise designed for sundries. Many modern consumer electronicproductslikeMP3playersandhigh-endmobilephonescomewiththeirown“travel”caseswhichalsoworkwellforthistask.I,alongwithmanyofmylockpickerfriends,eventuallyjustwoundupsewingcustom-madekits. I like that solution thebest,because itoffersme room forexactlywhatIwantandnothingneedstogetleftout(seeFigureA.50).

FigureA.50 Alarge“pickroll”thatIcustommadeformyself.There’sstillsomeroomforgrowth,and italsocanaccommodatemanyof the strange tools that Iwouldneverneedonadailybasis.Thisisthetoolkitthatcomeswithmetoconferencesandlockpickingcompetitions.

Pocket/emergencykit

Sometimes,despitehowsmallyoumakeyour“everyday”kit,youmightfindyourselfnotwantingtobringitalongwithyou.Maybeyou’reoutata fancy evening party and you think that the extra bulkwill ruin thelines of your outfit. Maybe you’re outside enjoying lovely seasonalweather in just a pair of shorts and a t-shirt. Ormaybe you’re just avictimofthetechrevolutionandalreadycarryapersonalcellphone,anoffice Blackberry, an MP3 player, etc.… and you just don’t want one

more bulky item in your pockets. Whatever the reason, some peoplechoose toequiponeadditionalkit, inasupersmall size, that theycanalwayshaveonthemwithoutfail.Oneofthemostinnovativemethodsofcreatingthiswasshowntome

byalocksmithfriendofminenamedEd.Eddiscoveredthatsmallcigartravel cases can make excellent miniature pick cases. He has a smallleathercasewithonlytwohollowchambersthatmeasuresonly4”longand is less than 2”wide. In it, he carries a single hook, a single halfdiamond,andtwomodifiedPetersonPrybars.Beingadevoteeofescapeartistry and handcuff trickery (he routinely attends “Houdini” typeconventions), his mini case also contains a specialized handcuff pick,someshimtools,andaminiaturepenlight.For thosewho don’t want to cut and grind their existing pick tools

down to four inches in length, there is one other option. The OpenOrganisationofLockpickersproducesan“EmergencyPickCard”whichistheexactsamedimensionasacreditcard(seeFiguresA.51andA.52).It ismadeof0.025 inchsteelandcansnapapart to formaninepiecetool set. Some people would think that the small handles make itdifficult to use, but in fact it will do the job quite nicely in a pinch.Thereareevensmallholesthatallowyoutoaddthepickstoyourkeyringoncetheyhavebeenbrokenapart.

FigureA.51 Tuckedbehindthefirsttwopocketsinthiswalletissomethingthatlookslikeacreditcard,butisnot.

FigureA.52 TheTOOOLEmergencyPickcard is theexact samesizeasa standardbankcard,but itactuallycontainsanine-piecetoolkit(sixpicktoolsandthreetensiontoolswhichare built into the frame) that can come in very handy if you’re in a tight spot. It’s the onelockpickingtoolkityoucancountontoalwayshavewithyou,nomatterwhat.

Conclusion

Lockpicking is a very entertaining pastime and can quickly become ahobby towhichyoudedicate significant time and resources.However,please understand, you do not need most of the items available forpurchasewhen you’re just starting out. As discussed in thisAppendix,therearemanytoolswhichIfeelalmostnooneneedstopurchaseever.I encourage you to develop your skills. Invest in tools and practice

locks. However, please always try to remainmindful of the virtues ofefficiencyandsimplicity.Less isoftenmore.Donotbetemptedbythebiggestpickkitthatyouseeforsale.SomeofthenicestassortmentsoftoolsthatI’veeverencounteredweresimpleeight-orten-piecekitsthatwere crafted lovingly and with care by people who picked and chosetheirtoolsfromavarietyofsources,customizedsomeofthemalongtheway,andkepttheminasmall,modestpouch.Howeveryouchoosetoequipyourself,takecaretoalwaysbeethical

andresponsiblewiththisknowledgeandkeeponpracticinginordertobethebestthatyoucan.Enjoy!

1http://theamazingking.com/bogota.html

Index

Note:Pagenumbersfollowedby“f”refertofigures

A

AceLocks,203–229

AmericanLockbypasstool,191–194,192f,193f

AmericanLockpadlocks,157–158

Assembledlockdriverpinsinstallation,14,15fkeypinsinstallation,13,14fpintumblerlocks,14f,17–26SeealsoPintumblerlocksspringinsertion,15springsin,16fwaferlocks,35,35fSeealsoWaferlocks

B

Ballpicks,252,252f

BarryWels,198–199,199f

Bigkit,259,261f

Bladestylekeys,2–4,4f

Blindcode,20

Bogotájigglerrakes,148–149

Bumpkeysbump-resistantandbump-prooflocksilcoantibumppin,186–187,187fMasterLockcompany,186,186fcode-cuttingmachine,178–180,179fkeyblade,178–180,179fpullbumpmethod,180–181,180fpushbumpmethod,182–183,182f,183ftips,184

C

Carkit,259,260f

Catches,SeeDoorlatches

ChicagoLocks,203–229

Combpicksoverlifting,188–191,189f,190f

Countermilling,142–143

Counter-rotation,144–147

“Covert”jigglertools,94f

Crashbar,196,197f

Crosslocks,229application,232f,234curtainofmetal,230–231

interchangeablecomponents,230–231,230f,236open,usage,233f,234picks,230–237stylesandbrands,236tensioninghandles,236–237,236f

Cruciformlocks,229–237

Curvepicks,253,253f

Cutawaylocks,98–100,98f

D

Deadbolt,15

Defiantbranddoorlocks,155

Diamondpicks,247,247f,248f

Dimplelocks,237–238,237fhalfdiamondpick,239–240,240fkeyway,237–240,238fmanufacturing,237–238origin,237–238pickresistantpinfabrication,239smallflags/golfclubs,239tooltips,238f,239

DoorbypassingBarryWels,198–199,199fslipattacksagainstlatchbolts,195–196,196ftriggeringdoorhandlesandpushbars,196–201,197f

Doorlatches,195

“Doublemushroomspoolpin”,141

Doubleshimming,171–173

Doublesideddeadbolt,155

Doverelevatorcab,39f

Drilledandtappedcylinder,100

Driverpins,175–177,178f

Dual-sidedmechanism,171

Duolock,38,39f

E

“Edgeoftheplug”tensiontool,50–51,50f

Europeanlockcylinders,10f

Extractortools,254–255,255f

F

Featherweighttensiontool,147–148,147f

Fieldstrippingbasicsof,102–106followertool,103,104fkeyoperation,102,103fkeypins,104,105flockcreation,104–106,106fmixandmatch,123–124pseudokey,123,124fspringchamber,123,124f

woodendowel,102,103f

Flatstyletensiontool,81fheadsize,81,82finteroperabilityvs.snugfit,81–82limitation,81–82pickingtoolmovement,80,81f

G

GOSOcompany,236

H

Halfdiamondpickapplications,73–74invertedhalfdiamondpick,74,74f,75fsinglepinstacklifting,46f,72–73snapeffect,75,75f

Hookpicks,245,246f,247f

Hybridpicking,71

I

IlcoBumpHaltpin,186–187,187f

In-and-outpressingtechnique,222–223,222f,223f

J

Jaggedlifters,248–250,249f,250f

Javadi,Babak,64

Jigglertoolsangling,91fchoosing,90fclockwiserotation,89,92ftypicalsets,88,89fwaferjiggler,88,93f

K

Ke-Bumphammer,184

Keypins,175,177f

Key-in-knoblocks,130

Keywayprofile,6

Kingandqueenpicks,254,255f

KLOMcompany,236

L

Lockpickingliftingtechniquebindingpinstack,47,48fdriverpinbinding,45–47,51ffrictionalforce,48,48fhookpickapproach,53,54f,60foverlifting,dangerof,66–67pickandtensiontoolinsertion,51,52ftensiontoolinsertion,50,50f

manufacturingimperfectionschoiceofmaterials,42cost-savingmeasures,41–42cuttinganddrilling,42–43rakingtechniquefirstbindingpin,68–69,69fmultiplepinstacks,67,68fsecondbindingpin,68–69,69f

Locksnappingguns,175

raisingmethod,109,109f

rockingmethod,109,110f

springresistance,112liftingpinnedchamber,111,110fsinglepinstack,110,111f

starterexercises,106–113

toolmovementtechniquesellipticalmovement,125–126,127flateralmovement,125–126,125f,126flighttension,125rakesandjiggler,125–127,125f,126f,127fspeed,125variation,125verticalmovement,125–126,126f

Lockingdoorhandle,17

M

Manufacturingimperfectionschoiceofmaterials,42cost-savingmeasures,41–42cuttinganddrilling,42–43

Masterbrandcombinationdiallock,168,169f

Masterlockcolor-platedseriesandfusionseries,155–156

Maximumadjacentcutspecification(MACS),120

Mushroomdriverpin,140

O

Offsetpicks,254,254f

Overlifting,dangerof,66–67

P

Padlockshimsdeviantbeercanshimdoubleshimming,171–173doubleballmechanism,173f,174lockmodels,174,175f

Padlocks,16,241–242

Panicbar,196,197f

Paracentrickeyways,153–154

PetersonManufacturingPRO-1tubularpick,214f

Picktool,51

Pickingtubularlocksinsertingthepick,218,219fpick-resistanttubularhighersecuritypins,226–228,226f,227fvariedspringstrength,224–228workingthepickin-and-outpressingtechnique,222–223,222f,223fside-to-siderockingtechnique,220–222,221fzeroingthepick,216–218,217f

Pick-resistantkeyway,153–154

Pick-resistantpinscoordinatedpickresistantcomponent,142–143,142fpick-resistantkeyways,153–154,153fpinswithlipsdoublemushroomspool,141,141fliftingpressure,pinstack,138–139,139flockfeature,spooldriverpin,139f,154mushroomdriverpin,140,140fspooldriverpinrotation,139f,140,140fTrioVingdesign,141pinswithserrations,142,142freal-worldlockadvancedsecuritypincylinder,158–159,159fAmericanlockpadlocks,157–158,157fdefiantbranddoorlocks,155MasterLockcolor-platedseriesandfusionseries,155–156,156f,157fspecializedpickingtechniquesbinding,spoolpin,144,145f

clunknoise,145–146liftingpressure,pinstack,138–139,146fmarkerlineacrosslockfrontface,144,144fpushing,pinstack,144,146fspecializedpickingtoolsBogotájigglerrakes,148–149featherweighttensiontool,147–148,147fspooledprogressivelock,149–152,150f,151f,152f

Picksinserting,218working,220–224zeroing,216–218

Pintumblerlocks,175assembledlock,14bladestylekeys,2–4,4fcrosslockpicks,230–237cruciformlocks,229–237deadboltinstallation,131,131fdeadboltmovement,131,132fdimplelocks,237–240doorknobslocking,130,130fformsandstylesdeadboltfeature,3fpadlockfeature,2ffullyinsertedlock,19fmechanicalimperfectionsdisassembledlock,44fdriverpinbinding,43,44fmisalignedandmisshapenpinchambers,43–44,45f

plugandpins,off-brandlock,44–45,46fplugrotationeffect,45–47,47fqualitycontroldeficiency,44–45operationassembledlock,14fbittingcode,bittingdepthmeasurement,19bittingcutandpositionnumber,20–22keydeformation,23,25fkeyinsertionprocess,14,14fkeypinsanddriverpins,18keyvariations,22–23malfunctioningkey,24,25foperation,17–26plugturning,20–21padlocks,129–130,129f,241–242picktoolsscrewcollar,210,210fplugassembledlock,14f,15blankplugfeature,4fbumpkeyingandimpressioning,8construction,4–5cross-section,4–17,4f,5f,7fdeadbolt,15drilling,pinchambers,9exteriorfrontfacingsurface,5,5ffeatures,7f,9frontmillingprocess,5–6,5ffullyinserted,12f

hardwarecomponents,2,4fkeywayprofile,6lock,16lockcylinder,16lockingdoorhandle,17padlock,16pinchambers,11fretainingclip,12fretainingclip,security,6f,12pseudo-cutawayview,131,132ftubularlocks,203–229assembled,205–206,207fbarrelcomponents,205–206,206fdifferentlocks,204fhousing,204,205finsertingthepick,218,219foddstyles,228pick-resistanttubular,224–228plug,204,205fretainingpin,205–206,207fworkingthepick,220–224,220fzeroingthepick,216–218,217fwishbonetensioner,83,83f

Plugfollowers,102,103f

Plugspinners,131–133

Pocket/emergencykit,261,262f

Progressivelypinnedlocks,100–101

Pushbar,196,197f

R

Rakepicks,67,247–248,248f

Rakingtechniquemultiplepinstacks,67,68ftensiontoolsflatstyletensioner,76,76fforward-facingcross-sectionview,79,80fstandardtensioner,76,76fworkspacelimitation,78–79,79f

S

Securitypincylinder,158–159

Securitypins,SeePickresistantpins

Serratedpins,142

Side-to-siderockingtechnique,220–222,221f

Single-sidedmechanism,171

Snapgunsdriverpins,175–177,178fkeypins,175–177,177fpinstacks,175–177

Snappingandbumpingbumpkeysbump-resistantandbump-prooflocks,185–188,186f,187fcode-cuttingmachine,178–180,179fkeyblade,178–180,179f

pullbumpmethod,180–181,180fpushbumpmethod,182–183,182f,183ftips,184snapgunsdriverpins,175–177,178fkeypins,175–177,177fpinstacks,175–177

Sneakypins,142–143

Spoolpin,138,140–141

Squarebodypadlock,192f

Standardtensiontoolvs.flatstyletensiontool,76–77insertion,plugedge,76–77,78ftypicalpintumblerlock,77–78,78fvariations,77f

Starterexercises,106–113

T

Tensiontool,255–256properpressurewith,65fclockwiserotationalforce,applying,63fcontrolof,62–64pushingpressure,applying,63f,64ftoomuchpressureon,65f

Tomahawkhammer,184

Toolmovementtechniques

ellipticalmovement,125–126,127flateralmovement,125–126,125f,126flighttension,125rakesandjiggler,125–127,125f,126f,127fspeed,125variation,125verticalmovement,125–126,126f

Toolsandtoolkitsguidanceballpicks,252,253fcurvepicks,253,253fdiamondpicks,247,247f,248fextractor,254–255,255fhookpicks,245,246f,247fjaggedlifters,248–250,249f,250fjigglerpicks,250,251f,252fkingandqueenpicks,254,255foffsetpicks,254,254fpickkitsuggestionsbigkit,259,261fcarkit,259,260fpocket/emergencykit,261,262ftypicalkit,248f,257–259rakepicks,247–248,248ftensiontools,255–256thickandthinshafts,245,245f

TrioVingdesign,142

Tryoutkeys,86–94

Tubularlocks,oddstyles

assembled,205–206,207fbarrelcomponents,205–206,206fdifferentlocks,204fhousing,205fhighersecuritypinsin,226–228housing,204inside,204–208keys,209flockpicktool,209foddstyles,228blankkey,228,228f,229fkey-centering,228,228f,229fpicking,215–228pick-resistant,224–228plug,204,205fretainingpin,205–206,207f

Typicalkit,257–259,257f,258f

U

Unshimmablepadlocksdoubleballmechanism,173f,174lockmodels,174,175f

V

Variedspringstrength,224–226

Vice,importanceof,101–102

W

Waferbreaker,193–194

Waferlocksassembledlock,35,35fautomotivelocks,27,29finbusinessenvironment,26,26fconstruction,31–35drivepins,133,134fduolocks,38,39felevator,27,28flocks,turning,21foperation,35–38bittingcombination,35,35fcamwashersystem,36,36fcontrolwafer,37fullyassembledwaferlock,35,35fpluglimitingbit,36fplugrotationlimiter,36fpinstacks,20,21fvs.pintumblerlocks,29,31f,32fplugposition,133–134,133fprogressive,127–128tensioning,128,128funlockdirectionfor,27,133upsidedownposition,133–134,133f

Wards,153

Wiggleeffect,142

Wishbonetensioner,83fdouble-sidedwaferlock,85,86fautomotivewaferlock,86,86fpintumblerlocks,83plug,85fpressuremaintenance,86,86fpintumblerlocks,83f

Z

Zeisslocks,229