• 100 year old vulnerability in master-keyed locks

    This one is filed under “things probably only Rachel finds interesting” but dammit, I do.

    Recently, I came across this article talking about a security flaw in master-keyed locks.

    You probably remember master-keyed locks from school: your teacher had a key to their classroom, but the janitor had a master key that opened all doors. There’s a flaw in this system that lets you recreate the master key easily if you have access to one of the locks and have (or have examined) its associated, non-master key.

    Locksmiths (and criminals) have known about this for over a hundred years, but it was made public only in 2003. (!)

    OK, first some background. The common household or commercial lock is a pin tumbler[1. I wrote "tumblr" first. I hate you, web 2.0. ] cylinder lock.

    [Source: Wikipedia]

    The yellow and green bits are cylinders. The yellow one is where you stick your key in, and it rotates inside the green one.  Normally, it’s prevented from doing that by the red and purple pins. At rest, they block the gap between the cylinders and prevent the yellow one from turning.

    When you put your key in the lock, the teeth on the key line up the pins so the gap between them coincides with the gap between the cylinders. This lets you rotate the yellow cylinder, opening the door.

    [Source]

    To make a lock take multiple keys, you just have multiple cuts in the pins:

    The second key lines up a different set of cuts and so opens the lock. This is how master keys work: each lock is set up so it’s opened by one unique combination (the teacher key) and one common one (the janitor/master key).

    Can you guess what the vulnerability is?

    I’ll give you a hint: there’s more than two keys that open this lock.

    The trick is, the lock doesn’t care which pins line up with the cylinder. Any combination will do. If there are five pins in the lock, a key with four teeth the same as the teacher key and one the same as the master key will still open the lock.

    The attack works like this. Take a high school kid (we’ll call him Roger, no relation to my boyfriend at the time) with a predilection for trouble and access to one of the teacher keys. He could have a physical key (say he works as an aide for one of the teachers) or he could have just handled a key (the teacher temporarily lent him her keys to open the door).  According to the article, pin height is usually standardized. An expert can look at a key and memorize the values. A photo or an impression in clay would also work.

    Let’s say Roger figures out the key is for a five pin lock with pin heights from 1-4. In this notation, his key is 23421.

    All he has to do is make keys where only one of the pins changes:

    • 43421
    • 33421
    • 13421

    and try them in the lock. If 33421 opens the lock, he knows the first pin of the master key is 3. It’s very common for people to fumble with keys, so trying three or four keys in a row won’t make anybody suspicious. Then repeat for each of the pins.

    Also note Roger doesn’t have to try all combinations at once - he could vary a new pin each day. By the end of the week, he’d have the set and the entire weekend to break into the principal’s office and do unspeakable things to his desk.

    I’ve glossed over some of the details, but the scholarly article is short and quite readable. Recommended: http://www.crypto.com/papers/mk.pdf

    Bicycle Repair (Wo)man

    As many of you know, I have a NEW JOB. Hooray!

    New Job is all of 2.5 miles from my house, so I figured I probably shouldn’t be a lazyass and drive. So I bought a bike. Used. Off Craigslist. Late at night from an Irish guy out of a warehouse and it was not at all sketchy.

    BEHOLD. My new bike:

    It's BEEUUUUUTIIIFULL

    Yeah, yeah, okay, it’s not very impressive. “Hell of ugly” you might say. It was $80 off Craigslist. Whadda want.

    It worked fine enough for 2.5 miles over flat territory, but after riding it a few times, I noticed it had a few issues:

    • A complete lack of interest in going up to a higher gear
    • If I got it in a higher gear, after a minute it’d decide it’d really rather not 
    • It made weird grumbly noises if I really really insisted on being in a higher gear
    • I got too much of a workout riding the thing 2.5 miles over flat ground

    Did I mention used? Craiglist? Eighty bucks?

    So I went on Youtube, looked up “bicycle repair” and I’ve been able to fix most of the problems. I be writing this down so I remember what the hell I did, and maybe one of you will have a cheapass bike that needs fixing.

    Bad Cable Tension

    One of the first videos I found was this one, on how to adjust cable tension. Sure enough, the rear cable was hell of loose. I hand-tightened it up to where it looked OK. Shifting the rear gears worked better after that.

    Tightening the rear cable

    Bad Shifter Tension (?)

    I don’t know what to call this - I couldn’t find a video on it. The problem was the front shifter would not stay in a higher gear. You ratchet it up and it would ratchet itself right back down, thank you very much.

    Turns out there’s a screw on the shifter that was really, really loose.

    I screwed it good.

    I screwed it in until it was tight. That fixed it. Yes, I am a genius.

    Front derailleur is whack

    This guy, despite his annoying habit of telling you what to do, and then remembering the three steps you should do before you do that thing, walks you through adjusting the low and high limits for the derailleur. This sets how high and low it shunts the chain.

    On my bike, the limit screws look like this:

    There's a joke to be made here about high and low screwing, but this is a classy place.

    Sure enough, they were wildly off on my bike, and I’m still not sure I have the high limit set right. At least I can get it into high gear.

    Brakes are whack

    As I finished all that stuff up, I noticed the front brakes were really tight and one side was rubbing against the tire. So THAT’s why I get a really nice workout riding the bike.

    The light outside’s going, so I’ll probably adjust this tomorrow.

    Jam & Laziness

    I make jam because I’m lazy.

    But, you say, can’t you buy jam from the store? How much more lazy can you get?

    Aha, I say, but then you have to put on pants. And find your keys. And find your preeeeeeciousiPhone. And drive to the store. And find the jam. And find the right jam that doesn’t have all that weird coloring and HFCS. That’s work, people. Hard work

    The solution to this madness?* Freezer jam. You can make it from easily stored ingredients in less time than it takes to go to the store. And I’m only somewhat lying.

    There’s no cooking and above all, NO CANNING. I don’t know about you, but the idea of doing a lot of work to give myself botulism…eh.

    Freezer jam is so-called because it’s stored in the freezer instead of all that canning nonsense, and it’s not cooked so it actually tastes like fruit. Even with supermarket frozen berries, it’s better than just about anything you can buy in the store. And you don’t even need any pants.

    What you will need is:

    • Fruit (fresh or frozen, both work great)
    • Pectin (the normal powder kind, not the gel or the low-sugar stuff)
    • a crapton of sugar (somewhere about 4-5 cups) 
    • lemon juice (optional)
    • salt (optional)
    • some empty jars or tupperware containers

    For this batch, I used two 1lb bags of blackberries from Safeway. The better the fruit, the better the jam, but this is what I had on hand. It works.

    The fruit needs to be room temperature, so if you’re working from frozen, I recommend defrosting in the microwave. If you just dump berries in a bowl, you’ll be waiting about four hours for them to defrost. Not that I would know.

    THEN HULK SMASH BERRIES! GRRRRRRRAAAAAAA!!!!

    You can do this in the food processor…but it’s too easy to puree the fruit or make it all choppy. The potato masher approach works best, IMHO. And it’s very satisfying. BERRY SMASH GOOD. 

    When you’re done, measure how much fruit you have. 

    The pectin box will have a recipe for no-cook freezer jam, and I base how much sugar to add on that. It depends on what your fruit is. For blackberries, it’s 5.5 cups for a quart of berries. This batch was less than a quart so I used only 4.5 cups. It’s fine to use a little less than they say, but don’t reduce it dramatically. You need the sugar for it to jell properly.

    Dump the disturbingly large amount of sugar in the berry mixture and stir around.  Leave it to sit for about 10 minutes, or until all the sugar crystals have dissolved. Stirring makes it go faster, but it’s fine to go off and play Angry Birds or something.** 

    Usually this is where I add lemon juice (1-2 teaspoons) and a tiny bit of salt (1/8 teaspoon), but it’s optional. When I have lemon on hand, I use it, and if I don’t, I don’t. That’s just how I roll.

    Once that’s done, dump pectin in sauce pan, add 3/4 cup water, bring to boil, boil for minute. It’s easy like Sunday morning.***

    Then dump the boiling pectin in the fruit and stir around for a couple minutes until you’re really really really sure it’s all mixed in.

    Then divide up between your containers. Now you’ve got a use for all those old jam jars you save for no readily apparent reason and your husband keeps asking why you save them and then stealthily recycling when you’re not looking. No. Not today, for today you are vindicated! YES!

    Aren’t they lovely?

    They’ll need to sit on the counter for 24 hours to set up****, but you should see them start to jell in an hour or so. After that, they keep in the fridge for three weeks or the freezer for up to a year.  (I’ve never had a batch last that long, though.)

    Hooray for lazy!

    ~~~~

    * This line was “How to get out of this jam?” in the first draft. Don’t worry, I already slapped myself.

    ** Who wants to bet when this reference will seem old and absurdly dated? I call July 2012.

    *** OF COURSE this popped into my head while writing and now it won’t leave. If I have to suffer, you have to suffer. 

    **** Thus the “kind of lying” part. I suppose it doesn’t take 24 hours to get to the store unless you’re Pa Ingalls. 

    The MacGyver Kit

    The inspiration for this project was simple: I rubbed my eyes. For those of you who don’t wear contact lenses, you’re not aware of the peril I was in. Contact lenses are amazing little beasties, but if your eyes are dry (and mine were) they’ll pop off and instantly dry up into expensive, transparent raisins. You then have about 45 seconds to fumble about and find saline or water to have any hope of getting them back in.

    No problem…if you’re at home. If you’re twenty miles away on campus, not so much. Thankfully I found a drinking fountain and spent the rest of the day with one gritty, filmy contact lens and a headache.

    Thus the MacGyver Kit was born.*

    This kit fixes things that’ll ruin your day: headaches, backaches, colds, bad breath, blisters, cracked lips, unexpected trips to the beach, hangnails, parking meters and loud people. It fits in almost any bag and goes in carry-on luggage. 

    First, you need a container. I made my own box pouch using this pattern, but you can use a makeup bag or other travel case. My bag measures 5” long by 3” wide by 2” tall - about the size of a can of soda. 

    And here’s what’s on the inside (slightly bigger image here):

    My current rev of the kit contains (starting from front left):

    • Bandaids (5)
    • Knuckle bandaid (1)
    • Blister pads (3)
    • Sewing kit with:
      • needle
      • black and white thread
      • black and white buttons
      • safety pins (3)
    • Excedrin
    • Throat lozenge
    • Benadryl
    • Dayquil
    • Prescription medication
    • Ibeprofin
    • $1 in quarters
    • $20 bill 
    • Contact lens case containing:
      • lip balm
      • suntan lotion
    • Spare set of contact lenses
    • Saline eye solution
    • Floss
    • Nail clippers
    • Tweezers
    • Hair bands
    • Toothpaste
    • Deodorant
    • Sacred tokens of my people
    • More sacred tokens of my people
    • Earplugs
    • Cotton string

    The medications are in plastic wrap. I wrote what they are on a scrap of paper and put it under the final fold of wrap:

     

    The sewing kit is DIY too. It’s made out of a scrap of fleece leftover from another sewing project, and closed by the safety pins:

    Inside

    The thread is wrapped around a notched piece of paper. 

    Would you believe I still have a couple square inches of room in my kit? I’m considering adding:

    • Instructions. First aid, emergency numbers, knot tying, card games, submarine plans, you name it. Print it out in tiny tiny print and shove it in. 
    • Superglue.  Never know when you might need to stick a thing to another thing. Or fix your pantyhose.
    • Duct tape.  Or tape a thing to a thing.
    • Thumb drive. With a TrueCrypt drive, I can carry all my important documents around with me. You never know when you might need your 2007 taxes. 

    Cost? That’ll vary by how much you have on hand. I think I spent about $20 on items specifically for the kit. It’s more than worth it - the bandaids, blister packs and womanly things have already been replaced.  

    And I never have to be afraid of rubbing my eyes again.

    ~~

    * Alternative, less family friendly name: The Oh Sh*t Kit.

Contents © 2013 Rachel Sanders