Slashdot Mirror
Kryptonite U-Lock Security Flaw
An anonymous reader writes "Once upon a time, a magic marker was able to defeat the Key2Audio copy protection scheme of older Sony CDs. Now, it has been shown that a Bic pen can easily open several models of Kryptonite U-locks. Please patch your systems, or install a tracking device on your bikes!"
Those environmentalists in Neal Stephenson's Zodiac won't be very happy to learn this...
Do not look into laser with remaining eye.
Like Coke machines? Same vulnerability? Of course your pen barrel would need to be MUCH bigger
I used to be a bike messenger and I would have always told you, use a New York
Lock, which by the way, isn't vunerable to this attack. It's the best lock in
the world, but at $50, only bike messengers seem to care enough/or know enough
to pay the money. Honestly, I can't count the number of times I've seen
expensive 1K and up bikes locked up with a $20 lock. If that.
SealBeater
-- Its survival of the fittest...and we got the fucking guns!!!
Normally the Oregonian is nothing to brag about, but damn if this wasn't the lead articlef ?/base/front_page/1095508748276280.xml
http://www.oregonlive.com/news/oregonian/index.ss
on Saturday morning.
Makes me feel good to live in this town (Portland, aka Stumptown, aka River City aka the Rose City aka "the city that works") where the most important news in the world is that the locks we all use to secure our bikes aren't technically "locks." at all.
PDX is one two wheelin' city.
While this is certainly something that lock manufacturers need to deal with, everyone needs to also keep one simple idea in mind.
The purpose of a lock is to keep honest and semi-honest people from taking your stuff. If someone is damned and determined to take your bike, he's going to get it, regardless of what lock you use.
I also have to nod in agreement with an earlier poster who pointed out that for the price of a fancy lock, you can get a bike that no one wants to steal. This is a perfect example of why my everyday driver car is an old beater that no one in their right mind would want to steal. If you're going to drive fancy stuff, then you have to accept that you are going to be a target.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
I remember Kryptonite locks have a manufacturer's guarantee against thief. Is this covered? If someone's bike gets stolen, would they replacec it still?
EvilCON - Made Famous by
No it isn't. It's a flaw in any cheap locks. You can open filling cabinets with a popsicle stick as well, and they aren't barrel locks.
This is a problem with any lock.
There are 2 things that a lock needs to prevent picking.
1) A system that will prevent it from unlocking if any tumbler is pushed even slightly further than it should have been. If this isn't in-place, even a blank-key that fits the lock will open it.
2) A system that prevents the tumblers from contacting with the locking mechanism. Otherwise, it's trivially easy to pick.
And that's only to impliment basic security. I don't have any format training, but I can open 90+% of locks I see...
Amazing as it may seem, quite a few safes don't follow rule #2. That means you can find the combination as fast as you could open it if you knew the combination. Also, it doesn't require any suspicious activity, as you just have a hand on the dial and a hand on the handle like you're someone that should be there...
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
The pins in the lock are vunlerable to being raked because they're all set in roughly the same position. If they were disparate, you couldn't successfully rake them (except if you were very lucky and could bite chunks out of your bic pen to match the right key :)
It is even possible to build these 'unpickable' locks for a small multiple what a standard lock of the same mechanical quality would cost.
You can make it difficult enough that burning or drilling the core, or taking a fire-ax to the door, is much more feasible than any manipulation technique. When the locking mechanism is no longer the weakest link, then it no longer makes sense to spend more on an improved lock.
But jeez, a bic pen and 5 seconds...
Apparently (I've heard from friends) in the cities in China, most bikes are not locked. It's because they are all equally old and dirty. The great thing is, is that you can just take a bike from whatever point you are at, bike it to your destination, and park it there. No one gets pissed because your bike was as equally old and rusty as the next. Kind of like a bike pool. The only problem is if you have a nice bike with shocks and what not, then you have to do the whole lock thing, but hey, it's your damn fault for buying the nice shiny one.
0- Eamonman Proud member of DNRC
And when they do, you've got enough cash saved up to just buy a new one.
Not actually true. There's a lot of discussion on some bike forum (linked from the Slashdot article on lockpicking, which I suspect the submitter ganked this story from) and in the midst of pissing and moaning (and rightfully so) it's pointed out that the pins on the Kryptonite locks have a much smaller length span than in most locks. Also, it only takes a quarter turn of the Kryptonite lock to unlock it, whereas more secure tubular locks must be turned farther. (posting from memory, so adequately, but not completely accurate)
Your brain is not a computer.
Ya but it's more expensive to design a secure lock. I mean when I went sniffing about for house locks I could get most major brands like Kwikset at home depot for less than $50. This generally included a deadbolt and handle, sometimes more than one of each. Problem is they are quite easy to pick, as you note. You can literally use a paperclip and screwdriver, never mind if you have good tools, and you can get the keys copied anywhere.
Well there was also the Medeco high security lock option. These are near impossible to pick and have odd keys that only dealers can copy, and they won't without ID. Great security, but also $200 just for a deadbolt, and like $10 per key.
For my house, I'll drop $200 on a lock. The fact that roomates can't copy keys almost justifies it alone. For a bike, I dunno. I'm sure if Medeco made a U-lock it would be excellent in all respects and near unpickable, but am I going to spend over 50% of the bike's price on a lack, espically when a little liquid nitrogen could defeat it (of which we have a 5000 gallon tank at work)? Much harder sell there.
I do understand why most locks are cheap. People want to save money and most don't understand what is required to make a good lock. It's not like it's outwardly apparant. A good Kwikset lock looks in every way as sturdy as a Medeco. You have to understand how the internals work to understand which is better.
There's actually been a lot of work done studying the replacement rate for criminals. In areas like this (petty theft of unsecure items on the street) or drug dealing, a criminal who is arrested is often replaced on the street by another criminal before he's fingerprinted... You can't stop crime by locking up criminals because many crimes are created by some combination of poverty, opportunity, and moral flexibility. In the case of drug dealers (the class of criminal for whom this is most true), there's not even the moral flexibility requirement. (It's plainly not immoral to sell drugs -- merely illegal.)
Not true. In my eight years here in China / Taiwan, I have never found an unlcoked bike (regardless the bike's age or condition).
Almost every domestically made bike comes with a fixed wheel lock operated by a key.
The first and only bike I bought in China was from a market in Beijing specialising in stolen bikes. I had it for about a week until it was stolen.
In every city and large town there are bike park lots staffed with security staff who take your 10 cents and guard over the bikes.
A dream is good. A plan is better.
chances are they are never going to give a shit, no matter how much you lead by example.
on one hand, you will never be around enough to influence their path.
the other hand is, when they see you work twice as hard for half as much their perception is going to be that you're not doing something right.
if you really want to do them a favor and change their lives, get a batman costume and start cracking heads.
no pun intended.
scott king
Dunno if this works against Kryptonite, but here's a tubular lock pick:p roduct=48
http://www.lock-depot.com/Scripts/prodView.asp?id
Not really. As someone who lives in Sweden and commutes on the train into Stockholm to school every day, I often see bikes left near the train station unlocked.
Of course, that may just be my neighborhood...
Be a PATRIOT--because the only thing we have to fear is the lack thereof.
Yep, I'd bet that there's ten times more bikes in Sweden per person...
I use a Brompton folding bike http://bromptonbicycle.co.uk/ and don't use a lock. You don't need a lock when the bike can fit under your office chair. The bike comes with me wherever I go, e.g. underneath the shopping cart as I go grocery shopping, etc. I keep it in the trunk of my (compact) car --in fact, it folds small enough that I can fit my wife's Brompton as well as mine in the trunk-- and if I need to go somewhere were parking is a problem, I can park a few blocks away and zip to my destination on the bike.
b ike/
Here's a (coralized) link to my web site showing the bike as it unfolds:
http://dreaming.org.nyud.net:8090/~kwtam/folding/
(as usual, Slashdot has inserted a space into the text...)
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
I've read this same exact post multiple times, and I still don't understand how having to turn it a quarter turn requires multiple picking. Any way to expand on this?
In Finland almost every house lock is an Abloy lock, which is based on rotating discs... the design is 90 years old and it's still quite hard to pick a lock with the least number discs, 4 or 5...
In my house lock there's 9 rotating discs and the center of the key is less than one millimeter thick...
And now they have this Protec http://www.abloy.com.au/videos/Abloy_Protec.wmv
Don't forget, many mental illnesses are cognitive/learned. This means that the society they grow up in will have some affect on them. Even with disorders that are mainly genetic, some of the traits they have will be cognitive. E.G. Despite the misconception that people with schizophrenia are often dangerous, they are usually not. The ones who are are more likely to have been abused etc. as well.
Then there is the "sociopathic" personality, which can be born that way or become that way with certain brain injuries. People who just can't feel or see things from another person's perspective. Humans do this alot as a survival tactic - how else do you drive a tank around Iraq and shoot at people and not want to suicide? You do it for the greater good, or whatever, maybe. But you still sit in relative safety and point weapons of minor distruction (like your cannon) at real people who will feel pain or die. Its a trait most of us have, and it has survival value.
But people with antisocial personality disorder who do things such as chop up kids have been abused most of the time. Their antisocial tendencies mean that yes, the are more susceptible to do such things, but that is different from doing it.
BTW. the people in Iraq who are driving around killing people went over there believing that it was necessary, and that they were helping people. Even if they killed a baby, they can easily dump this on their "these things happen/it's for the better" defence mechanism.
Some people don't percieve risk the same way you do, either. Some people have to jump out of airplanes with parachutes just to feel alive.
I've addressed this in another reply to my post.
And some people don't know that they are commiting a crime - Taping your TV show's to watch later is a crime in some countries (like Australia).
Heh. Find me one adult that doesn't know that society believes taking a bike from someone is wrong. Were's not talking about software here. After all society says what is right and wrong. Not the government.
In essence - its not that simple. There are lots of reasons for crime, lots of motiviations, and lots of times where the person didn't really understand the risk/reward relationship for crime the same way you do.
Never said it was simple. It isn't. I agree. But saying that people steal for the hell of it certainly is simplistic thinking.
Only one slight flaw in your post. Bicycle Business magazine hasn't been going 12 years. However, it was known about as far back as 1988 in other magazine tests though not published and repeated in 1992 and published. Bicycle Business recently reported on this story quoting the other publications. During that time Kryptonite and other manufacturers of these locks have continued to produce locks with tubular locks and consumers have continued buying them.
But, now we've got the net, it's now spread much further than some obscure British cycling magazine, is searchable and even comes with tutorial videos.
Kudos to Kryptonite for fessing up and supplying fixes - nobody else has. Brickbats for not doing it in 1988.
I can't believe how expensive broadband is.
So far, I havn't been too impressed with Sweden or the apartment I am living in. After 4 weeks my new apartment is still without furniture, despite me paying 200 kr a month for furniture rental and talking to everyone I can who might have any power over that fact. I'm still sleeping on the floor in the corner of my empty room. Up until a week ago, I didn't even have light/electricity. And the apartment is supposed to have that all included.
Not to mention that it is a three room apartment (it is a family apartment that has been rented out by the studentbostad for students), yet they crammed three Pakistanis into one room, so now I am living with four other people, with no furniture, and no internet access.
If I didn't know any better, I might even think Sweden was a third world country.
WTF PEOPLE!!
This isn't a "known caveat", this is gross neglience on the part of a manufacturer.
While this is certainly something that lock manufacturers need to deal with, everyone needs to also keep one simple idea in mind.
The purpose of a lock is to keep honest and semi-honest people from taking your stuff. If someone is damned and determined to take your bike, he's going to get it, regardless of what lock you use.
People like you are totally missing the point. This is like an airbag company making airbags that don't work 90% of the time! Sure it's a better idea never to get in an accident, but that's not the frickin point.
The point is kryptonite's locks are billed as "highly secure". They are not. This has been known in select circles (and kryptonite was informed) since at least 1992, yet the manufacturer has done nothing with that information to fix the problem.
I also have to nod in agreement with an earlier poster who pointed out that for the price of a fancy lock, you can get a bike that no one wants to steal.
This is total nonsense. Increbile POS bikes get stolen all the time, see my post about my friend's bike.
Life is too short to proofread.
man, thanks, i didn't think it was flamebait either.
i used to work at the local technical institute, so i feel ya on the no one gets fired or promoted thing. there was a room their with nothing but receptionists. they didn't necessarily receive anything, they were just there, in case customer service or a dept head needed one.
most likely they were there just to make sure there was money in the budget for next year.
i think a lot of slashdotters scan posts, and at a glance, mine looked like flamebait. whatever, it's just slashdot. the whole reason i come here is to see flamebait, and a lot of times the comments are so shortsighted that it all looks like flamebait to me anyway.
scott king
"Do you think vandals, not those that spray paint their names or make a pretty pictures, but those that break shit - do it for fame, fortune or otherwise? What do serial arsonists gain? Nothing."
I'm not sure if I'd lump vandals and arsonists into the same motivational pile that quickly. I've spent some time trying to understand what the payoff for certain abberant behaviors is, and I've got a theory that some of them may be doing it for one of the most powerful motivational reasons that can exist for a human being.
Most people are aware of a highly pleasurable feeling that comes at the moment before orgasm, and most can come up with other situations where they felt something very vaguely like it, such as a pleasurable tickling of the brain when listening to a certain passages of music.
Now, what if individuals are all hooked up slightly differently with regards to what they find pleasurable? Do you think some might feel pleasure when looking into a window and seeing someone who is attractive who is unaware of being observed? How about when poking a finger into a loaf of bread in a grocery store and leaving it on the shelf? Shoplifting? Sniffing bicycle seats? Setting a fire?
Consider that some people may be wired up so that they get that little tickle under some bizarre or destructive circumstances that make little sense to you or I. Some people appear to be wired up to feel strong pleasurable responses under some rather undesirable circumstances. For them, it's a curse.
The mechanism of how pleasurable endorphine feedback response works, what triggers it, and why some people appear to have wound up with different triggers and suppression mechanisms than others is not well understood, but anyone who ignores it when trying to figure out what motivates some people to do strange, deviant, antisocial, or destructive things may be missing an important piece of the puzzle.