117 comments

[ 3.0 ms ] story [ 164 ms ] thread
A combination "20 - 40 - 60" on a dial that goes from 1 to 60... Sounds like an equivalent of a factory-default admin/admin login credentials. I wonder if it really was the default combination that the safe was bought with, and the owners never bothered to change it. :)
Ha yes, or equivalent to 'password'. Raises the point that humans interacting with machines will always display similar behaviours.
Puts me in mind of Surely You're Joking Mr Feynman...
I found that chapter really fun and I should try that... But then I think -- he was cracking safes in a military top-secret nuclear research facility!
>The museum had previously enlisted the help of experts to crack the code, tried default combinations, and had contacted former hotel employees to see if they could help.

It doesn't sound like it was the default, just a "password1" situation.

Ah, I missed that bit, thanks!
Or maybe they just hired shitty locksmiths. Shitty locksmiths are often easier to find than real locksmiths.
> A combination "20 - 40 - 60" on a dial that goes from 1 to 60... Sounds like an equivalent of a factory-default admin/admin login credentials.

The article explains that it was a common combination for people to use on this type of safe - "Typical combination lock, three times clockwise - 20 - two times counterclockwise - 40 - once clockwise - 60, tried the handle and it went".

"admin", ""? Nope.

"admin", "admin"? Nope.

"admin", "passwd"? Yep!

For maximum security, use username "password" with password "admin".
"I pulled a sneaky on ya"
So that's a quote from the museum visitor who opened it. I don't think he knew "common combinations on this type of safe". I think he was saying what was typical was the mechanism, three times clockwise [some number], two times counter-clockwise [some number], etc. Not the numbers.

We of course wouldn't have heard about it if it wasn't succesful. The real odds are "how many safes are there like this that people are trying all over the world, and what's the chance that someone at ONE of them would succeed." :)

Definitely sounds like a default.

When you turn in a container with a classic combination lock in the DoD world, you set the combination to 10-20-30-40. The next person issued the container opens it and sets it to a new combination.

The moral equivalent of "admin,password" happens all the time with physical locks.

With physical goods, the key is often sold with a default bitting. (Which is the data embodied in the key equivalent to the password.) That's because just ordering the default is often cheaper, and the contractor will often just opt for the cheapest option. It wouldn't surprise me if this also happened with combination locks.

https://www.youtube.com/watch?v=a9b9IYqsb_U

"The fact that the combination was in a specific pattern and did not appear to be a random combination of numbers could also factor into a calculation of the odds, he added."

Hehe. I guess he'll have to produce a list of non-random numbers to work those odds out.

Randomness produces patterns all the time, and if we cut out the patterns that appear, then we are selecting the pattern that we’ve labeled as ‘random.’
Humans are terrible at selecting truly random numbers so if the combination was picked by a person, and people who were guessing were also people, then I would say that the odds are significantly better that the safe would be cracked than what you would expect from calculating the permutations.
I think it was a joke. What would it mean to produce a list of non-random numbers?
If the code was 20-40-60 and the "enlisted help of experts" failed to crack it, then said experts are not really up to scratch.
>The odds of Mr Mills correctly guessing the combination are pretty long, says the University of Toronto's Jeffrey Rosenthal, author of Knock on Wood: Luck, Chance, and the Meaning of Everything.

>He calculated the chance of correctly guessing the combination on one try as 1 in 216,000. (His calculation assumed the safe numbers actually ran from one to 60).

Glad they managed to find an expert with the calculating skill to clear up that other enigma as well.

Just to be cranky, shouldn't we eliminate all the permutations that use the same number three times? (i.e. 11-11-11)? My knowledge of combination locks doesn't extend much beyond goofing with Master locks in high school, but the more rudimentary designs require that the middle number be different from either of the two end ones. This doesn't sound like a super-advanced safe.
Not only different, but different by a couple of digits to account for the width of the tabs on the discs inside the lock that you are rotating with the knob.
All the safes I have used have codes that get closer to ‘0’ with each turn/direction change. This might be a low number when turning anti-clockwise or a high one when turning clockwise. These weren’t sophisticated mechanisms, so it might just be these models.
For those who are unaware, this is a standard factory code for safes.
1 in 216000... seems like you could build some robotic device to brute force that pretty easily... or you know, introduce it to a thermic lance.

EDIT: sorry, my research suggests that safe-cracking with thermic lances is plausible but not practical (source; Mythbusters, of course)

Sure, but an unopened safe with mysterious contents is a better attraction :)

Actually, having that and letting visitors try is really cool.

Irrespective of how practical thermic lances are, the likelihood that there would be something more valuable inside the safe than the safe itself was low (that’s also confirmed now by the actual contents of the safe) and that’s probably why destructive opening of the safe was never even considered.

The safe itself was the exhibition piece that was valuable to the museum. Destroying it just to get at its unknown but probably boring contents would have been pointless.

Well yeah, but that would almost certainly have destroyed the contents, which turned out to be all paper.
"he noted that some combination locks allow for wiggle-room and if this one had a three-digit leeway, Mr Rosenthal put the chances at 1 in 8,000, "which is still a small chance"."

If this is the case, and there have been museum visitors having a go at opening the safe each day... this becomes a non story, right?

Humans are terrible at picking random numbers, it's quite likely many people tried the same thing (more or less).
But if the code was set by humans, it just makes finding it even more likely...
Only if somebody uses a human generated number (as done in this case). If it's genuinely random then it could take humans quite a while.
Also I would assume most people would try more than once.
That museum is lucky to get visitors on some days.

It is only open from 1pm to 5pm, May to September, week days only.

Compare with Disneyland for footfall.

A volunteer could have had the time whilst waiting for visitors to give it a go though.

Reminds me of the time I was playing a computer game, and right at the beginning you are presented with a door 5-digit combination lock. The objective of the game was to explore the game world and eventually discover all 5 digits of the code.

First time I played the game I just randomly entered 5 digits, and the door unlocked.

Myst series?
That's what came to my head too. It still took me many hours more game play to find out WHAT I had unlocked and what to do with it.
I’m getting exam flashbacks. “You can’t just write the answer, you must show workings. How did you get there?”
Perhaps you applied a buggy crack or patch.
We have gotten to that point that so many new games are making references to "0451" being the first door code in old video games (System Shock, Deus Ex), you can pretty reliably use it as a first guess [0].

[0] https://www.ttlg.com/forums/showthread.php?t=147925

I remember my uncle playing my copy of Bioshock way back when, he walked up to a random door and typed in 0451 and it opened. My mind was blown.
(comment deleted)
> Typical combination lock

Now hands up everyone who's TSA luggage lock combination is 9-1-1. Social engineering is the most interesting cracking to me.

I prefer 666 as a subtle reminder to the thief that they are being naughty.
What are the chances someone will crack any safe and that it will be a news worthy item?

Sounds like the newest hippest curve ball question on an interview :D

The chances of getting to correct number + (the number of news reporters per square mile in the town/total population per square mile)
If the combination does allow for wiggle room and the 1 in 8000 figure is correct, the code could have been brute forced in a couple hours. Source: my wife has a habit of forgetting the combination to her 3 digit luggage lock and I had to brute force it a few times (it's surprisingly quick, about 15 minutes) :)
Hahah I really appreciate the effort you put in with that
I bruteforced a 4-digit 2FA in 2 days, of course with the help of a small script instead of trying it myself. It's always fun to see dumb solutions work.
if it works, it's not a dumb solution :)
It is if olalonde doesn't want to have to break into his wife's luggage every couple of weeks...
"If it's stupid and it works, then it's not stupid" — my motto
Rephrasing for brevity: "Nothing stupid works."
I took two things away from my AI class.

1) If brute force doesn't work, you're not using enough.

2) Do the stupid thing first.

Reminds of things my dad would say about mechanical work...

"Use a bigger hammer". "If it jams, force it. If it breaks, it was going to break anyway".

Did you vary your code, or just try the same code until it was the correct one?
The good thing about normal combination locks is that you can try all combinations sequentially with minimum movement.

  000 start
  001 1 move
  002 1 move
  ...
  008 1 move
  009 1 move
  019 1 move
  018 1 move
  ...
  011 1 move
  010 1 move
  020 1 move
  021 1 move
  ...
and so on.
I feel like saving 1 move in 10 (9 to 10 is 2 moves, 10 to 11 is back to 1 move) is not worth the mental capacity required to remember current up/down direction. Easier to let the muscles do the work and let your mind wonder.
That's a good point, though I do think that it's not that big of a mental hurdle. Consider knitting, for example.
That sounds similar to the concept of Gray code [0].

For electronic locks, there is a similar method that allows you to try a 4-digit code for each key press [1].

[0] https://en.wikipedia.org/wiki/Gray_code [1] http://alvaray.org/brute-forcing-pincode-keypads-using-combi...

In practice 009 to 010 is a single move, because your thumb can cover and turn two or more wheels at once.
I had this in university - when I started some documents I needed were delivered to my uni mailbox which was guarded by a code, but we weren't due to get our code until we had completely "matriculated" (signed in, got our IDs, etc). So I just sat down with a couple of beers and set out out to try all 9999 combinations (it was thankfully in the 2000s or so).

Made me realise that my university mailbox wasn't actually that secure ...

Ok, here’s one for you. This is almost too painful to repeat it’s so bad. When I went to college, the university implemented at 4 digit prefix that students would use when dialing from a campus phone so they could charge long distance calls directly to their university bill. With only 9999 numbers allocated to 6000 students, it was comically simple to use a random number and make that long overdue call to mom.

Right. It lasted a month before it was scrapped.

In the town I live, there was an incident a few years ago with a teenager who got access to his mother’s handgun. She had the gun in a gun safe, with a four digit combo. The teen came home every day after school and started brute-forcing the password. 0000, 0001, and so on. He was determined and patient, and it worked.

https://www.pantagraph.com/news/local/crime-and-courts/teen-...

> Source: my wife has a habit of forgetting the combination to her 3 digit luggage lock

Luggage locks are notoriously easy to open just by listening to them carefully while you try to force them open and slowly turn each digit.

Would they have known about the wiggle room without opening the safe, though? I figured they found this out after inspecting the lock once the safe was open. So if they didn't know about this wiggle room -- or know what amount of wiggle was allowed -- could they have benefited in any way?
Article said they looked up the default combos previously, so they must know the brand and model. That's probably all that's needed to lookup the wiggle room.
Some of these 3-digit locks are so simple/bad one can actually just see the open slot on each ring. After which you just have to align them. If that fails, some of them have just enough space so you can put something thin (like a needle with a bent end) and can feel where the slot is. Usually faster than brute forcing.
We used to do this for amusement with each other's 3-5 tumbler ski locks on the rides to races. It wasn't even brute force, just exploiting weaknesses in the manufacturing

The most useful trick was to put a bit of tension on the lock cable while turning the tunblers. Once we got a feel for it, we could often open unfamiliar locks almost as fast as if we had the combination, and didn't even have to look. You could just feel the gap slip into place.

You are a statistically patient outlier. (however, maybe not on hacker news)
Did I ever tell you the story of how I had to break into the office of the Team Chief of the Logistics Readiness Center inside of the National Military Command Center in the Pentagon?

He had forgotten his briefing slides when he was about to go give an update on all logistics operations for the Chairman of the Joint Chiefs of staff, and he heard the door click behind him.

He had five minutes. He got there in time, with his briefing slides. I then told the Executive Officer of the Day what the combination was, and informed them that they probably needed to change that combo since I now knew what it was.

Ironically, I ended up going through all possible combinations without success. That's when I was told that I was turning the doorknob the wrong way, and I had to start over. It didn't take too long from there.

Alternative headline: after experts fail, museum successfully crowdsources brute force attack on safe, over decades.

With all due respect to Mr. Mills, in this context he's a pawn in someone else's master plan.

> "They have no value really, but they are of great interest to us. It gives us a little bit of idea of what the places were like in 1977, '78," said Mr Kibblewhite.

This must be the most American thing ever. 40 year old stuff treated like they're ancient.

There used to be a joke along the lines of "In Europe people think a 100 miles is a long distance. In the States people think a 100 years is a long time".
>This must be the most American thing ever.

Guys, who's going to be the one to tell him?

I’m sure the Canadians will be here shortly to correct him.
The sentence right before is: The pad included receipts for a mushroom burger for C$1.50 ($1.12; £0.59) and a package of cigarettes for C$1.00.
>guys, who's going to be the one to tell him?

Guys, who's going to be the one to tell him ?

In much the same way as your comment being the most European thing ever.
Seems like Europeans, in addition to being pretty snobby, also have a fairly thin skin ;-)
This must be the most HN thing ever. Picking a single thing out of an article and using it to criticize Americans.
Hopefully not. I'd like to think the people here are better than that.
Who said "ancient" other than you? You have no interest in what things were like 40 years ago?
(comment deleted)
California was Mexico less than 200 years ago
>The museum had previously enlisted the help of experts to crack the code

since they have (essentially) infinite time, why couldn't they attach a machine that tries all possible combinations? feels like something that someone from the high school robotics club could come up with.

The article states that the museum is in a town of a little over 4,000 people. My guess is there was simply never the right combination of interest, knowledge, and resources available.
> the right combination

ISWYDT

> why couldn't they attach a machine that tries all possible combinations?

Doesn't it seem to you that (with a very loose definition of "machine") they did?

from a local article on this, "enlisted the help of experts" means they called the local locksmith and asked if they remembered what the combination was. the answer was no.
The code was 20-40-60 is like somebody setting their account password as "password123" to me
https://www.cbc.ca/news/canada/edmonton/vermilion-alberta-sa...

The CBC article differs in two important aspects. The BBC article says they "enlisted the help of experts", when the CBC article says they just called a locksmith who gave them some combinations to try over the phone. The BBC article makes it sound like some tourist just tried a random combination, while in the CBC article, a machinist put his ear to the safe and listened for clicks.

I think they both tell a similar story. Someone on the tour (a machinist) played with the safe and got it open.

The experts tried it at were at a different time in the past.

You can be an expert tourist.
I imagine someone traveling wearing khakis with lots of pockets, pulling a wheelie cart with a handle, breezing through airport security and opening encountered locks in moments.
He is being followed by a guy in a pith helmet with a moustache and a big gun.
Its interesting that this is interesting.

People win the lottery all the time, they aren't newsworthy in the 'lucky guess' sense.

On the other hand whenever someone gets out a pack of cards I always try and guess the top card. Eventually I'll get it right.

(comment deleted)
Everyone is so amazed that he opened the safe “on the first try” but the article also says, “Like the Mills family, other museum visitors played around with trying to open it, with no success.“ Moreover the museum had had the safe since the mid 90s, at least 20 years... sounds like lots of tries by tourists... is it really so surprising that someone eventually opened it? Probably people don’t sit there all day, they try once or twice then let the next person have a go... so maybe 50% chance that the person that opened it would get it on their “first try”. (If not the article would have said “almost immediately” which would be nearly as newsworthy.) Sounds like the multiple comparisons fallacy.

More-moreover, not unlikely there are multiple safes in public places like this in the world (I have seen at least one before in an antique shop that people would try like this) but this is the one that got opened and therefore written up in the news... sounds like survivorship bias.

During high school, I played a lot of morrowind and thought it was cool to learn how to pick locks. I had already known how to break combination locks, and I already taught myself to open traditional pin and tumbler locks. I saw a number lock with 4 digits and I couldn't help myself. Considering they were just numbers I thought to myself, this is a guaranteed crack. So every day before and after class, I would take a minute to mechanically go through about 50 numbers. Testing numbers is surprisingly quick.

It only took me like 3-4 weeks of testing a few numbers before and after class and I had it open.

The loot? A pair of used gym socks, shoes, and one of those math homework books you write in.