A combination "20 - 40 - 60" on a dial that goes from 1 to 60... Sounds like an equivalent of a factory-default admin/admin login credentials.
I wonder if it really was the default combination that the safe was bought with, and the owners never bothered to change it. :)
>The museum had previously enlisted the help of experts to crack the code, tried default combinations, and had contacted former hotel employees to see if they could help.
It doesn't sound like it was the default, just a "password1" situation.
> A combination "20 - 40 - 60" on a dial that goes from 1 to 60... Sounds like an equivalent of a factory-default admin/admin login credentials.
The article explains that it was a common combination for people to use on this type of safe - "Typical combination lock, three times clockwise - 20 - two times counterclockwise - 40 - once clockwise - 60, tried the handle and it went".
So that's a quote from the museum visitor who opened it. I don't think he knew "common combinations on this type of safe". I think he was saying what was typical was the mechanism, three times clockwise [some number], two times counter-clockwise [some number], etc. Not the numbers.
We of course wouldn't have heard about it if it wasn't succesful. The real odds are "how many safes are there like this that people are trying all over the world, and what's the chance that someone at ONE of them would succeed." :)
When you turn in a container with a classic combination lock in the DoD world, you set the combination to 10-20-30-40. The next person issued the container opens it and sets it to a new combination.
The moral equivalent of "admin,password" happens all the time with physical locks.
With physical goods, the key is often sold with a default bitting. (Which is the data embodied in the key equivalent to the password.) That's because just ordering the default is often cheaper, and the contractor will often just opt for the cheapest option. It wouldn't surprise me if this also happened with combination locks.
"The fact that the combination was in a specific pattern and did not appear to be a random combination of numbers could also factor into a calculation of the odds, he added."
Hehe. I guess he'll have to produce a list of non-random numbers to work those odds out.
Randomness produces patterns all the time, and if we cut out the patterns that appear, then we are selecting the pattern that we’ve labeled as ‘random.’
Humans are terrible at selecting truly random numbers so if the combination was picked by a person, and people who were guessing were also people, then I would say that the odds are significantly better that the safe would be cracked than what you would expect from calculating the permutations.
>The odds of Mr Mills correctly guessing the combination are pretty long, says the University of Toronto's Jeffrey Rosenthal, author of Knock on Wood: Luck, Chance, and the Meaning of Everything.
>He calculated the chance of correctly guessing the combination on one try as 1 in 216,000. (His calculation assumed the safe numbers actually ran from one to 60).
Glad they managed to find an expert with the calculating skill to clear up that other enigma as well.
Just to be cranky, shouldn't we eliminate all the permutations that use the same number three times? (i.e. 11-11-11)? My knowledge of combination locks doesn't extend much beyond goofing with Master locks in high school, but the more rudimentary designs require that the middle number be different from either of the two end ones. This doesn't sound like a super-advanced safe.
Not only different, but different by a couple of digits to account for the width of the tabs on the discs inside the lock that you are rotating with the knob.
All the safes I have used have codes that get closer to ‘0’ with each turn/direction change. This might be a low number when turning anti-clockwise or a high one when turning clockwise. These weren’t sophisticated mechanisms, so it might just be these models.
"Some modern safe locks are made of lightweight materials such as nylon to inhibit this technique, since most safe exteriors are made of much denser metals"
Irrespective of how practical thermic lances are, the likelihood that there would be something more valuable inside the safe than the safe itself was low (that’s also confirmed now by the actual contents of the safe) and that’s probably why destructive opening of the safe was never even considered.
The safe itself was the exhibition piece that was valuable to the museum. Destroying it just to get at its unknown but probably boring contents would have been pointless.
"he noted that some combination locks allow for wiggle-room and if this one had a three-digit leeway, Mr Rosenthal put the chances at 1 in 8,000, "which is still a small chance"."
If this is the case, and there have been museum visitors having a go at opening the safe each day... this becomes a non story, right?
Reminds me of the time I was playing a computer game, and right at the beginning you are presented with a door 5-digit combination lock. The objective of the game was to explore the game world and eventually discover all 5 digits of the code.
First time I played the game I just randomly entered 5 digits, and the door unlocked.
We have gotten to that point that so many new games are making references to "0451" being the first door code in old video games (System Shock, Deus Ex), you can pretty reliably use it as a first guess [0].
If the combination does allow for wiggle room and the 1 in 8000 figure is correct, the code could have been brute forced in a couple hours. Source: my wife has a habit of forgetting the combination to her 3 digit luggage lock and I had to brute force it a few times (it's surprisingly quick, about 15 minutes) :)
I bruteforced a 4-digit 2FA in 2 days, of course with the help of a small script instead of trying it myself. It's always fun to see dumb solutions work.
I feel like saving 1 move in 10 (9 to 10 is 2 moves, 10 to 11 is back to 1 move) is not worth the mental capacity required to remember current up/down direction. Easier to let the muscles do the work and let your mind wonder.
I had this in university - when I started some documents I needed were delivered to my uni mailbox which was guarded by a code, but we weren't due to get our code until we had completely "matriculated" (signed in, got our IDs, etc). So I just sat down with a couple of beers and set out out to try all 9999 combinations (it was thankfully in the 2000s or so).
Made me realise that my university mailbox wasn't actually that secure ...
Ok, here’s one for you. This is almost too painful to repeat it’s so bad. When I went to college, the university implemented at 4 digit prefix that students would use when dialing from a campus phone so they could charge long distance calls directly to their university bill. With only 9999 numbers allocated to 6000 students, it was comically simple to use a random number and make that long overdue call to mom.
In the town I live, there was an incident a few years ago with a teenager who got access to his mother’s handgun. She had the gun in a gun safe, with a four digit combo. The teen came home every day after school and started brute-forcing the password. 0000, 0001, and so on. He was determined and patient, and it worked.
Would they have known about the wiggle room without opening the safe, though? I figured they found this out after inspecting the lock once the safe was open. So if they didn't know about this wiggle room -- or know what amount of wiggle was allowed -- could they have benefited in any way?
Article said they looked up the default combos previously, so they must know the brand and model. That's probably all that's needed to lookup the wiggle room.
Some of these 3-digit locks are so simple/bad one can actually just see the open slot on each ring. After which you just have to align them. If that fails, some of them have just enough space so you can put something thin (like a needle with a bent end) and can feel where the slot is. Usually faster than brute forcing.
We used to do this for amusement with each other's 3-5 tumbler ski locks on the rides to races. It wasn't even brute force, just exploiting weaknesses in the manufacturing
The most useful trick was to put a bit of tension on the lock cable while turning the tunblers. Once we got a feel for it, we could often open unfamiliar locks almost as fast as if we had the combination, and didn't even have to look. You could just feel the gap slip into place.
Did I ever tell you the story of how I had to break into the office of the Team Chief of the Logistics Readiness Center inside of the National Military Command Center in the Pentagon?
He had forgotten his briefing slides when he was about to go give an update on all logistics operations for the Chairman of the Joint Chiefs of staff, and he heard the door click behind him.
He had five minutes. He got there in time, with his briefing slides. I then told the Executive Officer of the Day what the combination was, and informed them that they probably needed to change that combo since I now knew what it was.
Ironically, I ended up going through all possible combinations without success. That's when I was told that I was turning the doorknob the wrong way, and I had to start over. It didn't take too long from there.
> "They have no value really, but they are of great interest to us. It gives us a little bit of idea of what the places were like in 1977, '78," said Mr Kibblewhite.
This must be the most American thing ever. 40 year old stuff treated like they're ancient.
There used to be a joke along the lines of "In Europe people think a 100 miles is a long distance. In the States people think a 100 years is a long time".
>The museum had previously enlisted the help of experts to crack the code
since they have (essentially) infinite time, why couldn't they attach a machine that tries all possible combinations? feels like something that someone from the high school robotics club could come up with.
The article states that the museum is in a town of a little over 4,000 people. My guess is there was simply never the right combination of interest, knowledge, and resources available.
from a local article on this, "enlisted the help of experts" means they called the local locksmith and asked if they remembered what the combination was. the answer was no.
The CBC article differs in two important aspects. The BBC article says they "enlisted the help of experts", when the CBC article says they just called a locksmith who gave them some combinations to try over the phone. The BBC article makes it sound like some tourist just tried a random combination, while in the CBC article, a machinist put his ear to the safe and listened for clicks.
I imagine someone traveling wearing khakis with lots of pockets, pulling a wheelie cart with a handle, breezing through airport security and opening encountered locks in moments.
Everyone is so amazed that he opened the safe “on the first try” but the article also says, “Like the Mills family, other museum visitors played around with trying to open it, with no success.“ Moreover the museum had had the safe since the mid 90s, at least 20 years... sounds like lots of tries by tourists... is it really so surprising that someone eventually opened it? Probably people don’t sit there all day, they try once or twice then let the next person have a go... so maybe 50% chance that the person that opened it would get it on their “first try”. (If not the article would have said “almost immediately” which would be nearly as newsworthy.) Sounds like the multiple comparisons fallacy.
More-moreover, not unlikely there are multiple safes in public places like this in the world (I have seen at least one before in an antique shop that people would try like this) but this is the one that got opened and therefore written up in the news... sounds like survivorship bias.
During high school, I played a lot of morrowind and thought it was cool to learn how to pick locks. I had already known how to break combination locks, and I already taught myself to open traditional pin and tumbler locks. I saw a number lock with 4 digits and I couldn't help myself. Considering they were just numbers I thought to myself, this is a guaranteed crack. So every day before and after class, I would take a minute to mechanically go through about 50 numbers. Testing numbers is surprisingly quick.
It only took me like 3-4 weeks of testing a few numbers before and after class and I had it open.
The loot? A pair of used gym socks, shoes, and one of those math homework books you write in.
117 comments
[ 3.0 ms ] story [ 164 ms ] threadIt doesn't sound like it was the default, just a "password1" situation.
The article explains that it was a common combination for people to use on this type of safe - "Typical combination lock, three times clockwise - 20 - two times counterclockwise - 40 - once clockwise - 60, tried the handle and it went".
"admin", "admin"? Nope.
"admin", "passwd"? Yep!
We of course wouldn't have heard about it if it wasn't succesful. The real odds are "how many safes are there like this that people are trying all over the world, and what's the chance that someone at ONE of them would succeed." :)
When you turn in a container with a classic combination lock in the DoD world, you set the combination to 10-20-30-40. The next person issued the container opens it and sets it to a new combination.
With physical goods, the key is often sold with a default bitting. (Which is the data embodied in the key equivalent to the password.) That's because just ordering the default is often cheaper, and the contractor will often just opt for the cheapest option. It wouldn't surprise me if this also happened with combination locks.
https://www.youtube.com/watch?v=a9b9IYqsb_U
Hehe. I guess he'll have to produce a list of non-random numbers to work those odds out.
https://en.m.wikipedia.org/wiki/Interesting_number_paradox
I suppose the smallest random number is also not random :)
>He calculated the chance of correctly guessing the combination on one try as 1 in 216,000. (His calculation assumed the safe numbers actually ran from one to 60).
Glad they managed to find an expert with the calculating skill to clear up that other enigma as well.
EDIT: sorry, my research suggests that safe-cracking with thermic lances is plausible but not practical (source; Mythbusters, of course)
https://hackaday.com/2011/03/09/automatic-lock-cracker-makes...
https://www.youtube.com/watch?v=_fTz2D6x20U
Actually, having that and letting visitors try is really cool.
https://www.youtube.com/watch?v=ovqJpcaWD7o
but not with every safe:
"Some modern safe locks are made of lightweight materials such as nylon to inhibit this technique, since most safe exteriors are made of much denser metals"
https://en.wikipedia.org/wiki/Safe-cracking#Radiological_met...
The safe itself was the exhibition piece that was valuable to the museum. Destroying it just to get at its unknown but probably boring contents would have been pointless.
If this is the case, and there have been museum visitors having a go at opening the safe each day... this becomes a non story, right?
It is only open from 1pm to 5pm, May to September, week days only.
Compare with Disneyland for footfall.
A volunteer could have had the time whilst waiting for visitors to give it a go though.
First time I played the game I just randomly entered 5 digits, and the door unlocked.
[0] https://www.ttlg.com/forums/showthread.php?t=147925
Now hands up everyone who's TSA luggage lock combination is 9-1-1. Social engineering is the most interesting cracking to me.
Sounds like the newest hippest curve ball question on an interview :D
1) If brute force doesn't work, you're not using enough.
2) Do the stupid thing first.
"Use a bigger hammer". "If it jams, force it. If it breaks, it was going to break anyway".
[1] http://www.icir.org/vern/papers/witty-imc05.pdf
For electronic locks, there is a similar method that allows you to try a 4-digit code for each key press [1].
[0] https://en.wikipedia.org/wiki/Gray_code [1] http://alvaray.org/brute-forcing-pincode-keypads-using-combi...
Those "try all n in shortest combination" sequences are called De Bruijn sequences in general.
https://en.wikipedia.org/wiki/De_Bruijn_sequence
Made me realise that my university mailbox wasn't actually that secure ...
Right. It lasted a month before it was scrapped.
https://www.pantagraph.com/news/local/crime-and-courts/teen-...
Luggage locks are notoriously easy to open just by listening to them carefully while you try to force them open and slowly turn each digit.
The most useful trick was to put a bit of tension on the lock cable while turning the tunblers. Once we got a feel for it, we could often open unfamiliar locks almost as fast as if we had the combination, and didn't even have to look. You could just feel the gap slip into place.
He had forgotten his briefing slides when he was about to go give an update on all logistics operations for the Chairman of the Joint Chiefs of staff, and he heard the door click behind him.
He had five minutes. He got there in time, with his briefing slides. I then told the Executive Officer of the Day what the combination was, and informed them that they probably needed to change that combo since I now knew what it was.
Ironically, I ended up going through all possible combinations without success. That's when I was told that I was turning the doorknob the wrong way, and I had to start over. It didn't take too long from there.
https://www.youtube.com/watch?v=_JNGI1dI-e8
With all due respect to Mr. Mills, in this context he's a pawn in someone else's master plan.
This must be the most American thing ever. 40 year old stuff treated like they're ancient.
Guys, who's going to be the one to tell him?
Guys, who's going to be the one to tell him ?
http://www.sfweekly.com/news/why-a-laundromat-might-be-consi...
http://www.openculture.com/2013/04/learn_how_richard_feynman...
since they have (essentially) infinite time, why couldn't they attach a machine that tries all possible combinations? feels like something that someone from the high school robotics club could come up with.
ISWYDT
Doesn't it seem to you that (with a very loose definition of "machine") they did?
The CBC article differs in two important aspects. The BBC article says they "enlisted the help of experts", when the CBC article says they just called a locksmith who gave them some combinations to try over the phone. The BBC article makes it sound like some tourist just tried a random combination, while in the CBC article, a machinist put his ear to the safe and listened for clicks.
The experts tried it at were at a different time in the past.
People win the lottery all the time, they aren't newsworthy in the 'lucky guess' sense.
On the other hand whenever someone gets out a pack of cards I always try and guess the top card. Eventually I'll get it right.
More-moreover, not unlikely there are multiple safes in public places like this in the world (I have seen at least one before in an antique shop that people would try like this) but this is the one that got opened and therefore written up in the news... sounds like survivorship bias.
https://finance.uonbi.ac.ke/node/116134
It only took me like 3-4 weeks of testing a few numbers before and after class and I had it open.
The loot? A pair of used gym socks, shoes, and one of those math homework books you write in.