Edit: 7/7/08: Two years ago I posted this article with the intention of fueling the fire of public discontent with the existing lock technology, with the hopes that it would drive the lock makers to respond with better, more secure technology.

I’ve recently learned that the companies that make these products have, after literally decades of knowingly shipping insecure products, begun to respond to the challenge and actually build a safer product. Master Lock, in particular, has released what they call “bump stop” technology, with a specially crafted pin that makes lock bumping difficult if not impossible. Here’s a YouTube video describing the technology.

At the moment, this type of lock is difficult to obtain for residential use; and while technology rarely ever works as well as the manufacturer claims, the important thing here is that bump resistance has become one of the metrics by which the security of a lock is measured, and products are already available to some consumers that address this threat. In short, it we’re at least on the right track.

And now, on with the original article.

It Worked

I recently saw a report on bump keying and how it, in theory at least, makes pin-and-tumbler locks useless. I was a bit skeptical, so I decided to try it out.

Using nothing but the little information I had gained through some Internet searches and You Tube videos, I took an old, unused key, filed it down to the appropriate shape, and tried it in my front door.

It worked first try.

This is serious. Though I’ve been taught how to pick locks, I’ve never successfully opened anything other than a simple desk drawer lock. With this one bump key, I can open about 40% of the locks I encounter in my day-to-day activities. A second key gets will open another 30% of the locks I encounter in a day, and between the two of them, I can open nearly every residential lock I’ve ever seen. This has very serious implications in the world of home security.

Making a bump key is trivially easy, and costs about $4 to do (or free if you already have an old key and a file). It’s not a new technology, and has been used for a few years no by criminals to break into house without leaving obvious signs of forced entry.

Burying Our Heads in the Sand

Continuing to keep this technique hidden from the public is not serving our best interests. The more expensive locks you can buy at the hardware store are expensive because they’re more difficult to open with a lock pick. Those same locks, though, can be opened in under 10 seconds by a bump key; often, the more expensive the lock, the easier it is to open. Everybody knows about lock picking, so lock makers build locks resistant to that technique. Very few people have heard of bump keying, so lock makers don’t bother to make bump-resistant locks. (There’s good reason for them to drag their feet; bump keying is a very, very difficult technique to guard against without radical changes to the way keys and locks work).

Nonetheless, the problem is here, it’s serious, and it’s not going away. Our only hope for any sort security is to force lock makers to start selling bump-resistant locks. They’ll do that only when the general public finds out that they’re being sold snake oil, not security. Our only hope is raising awareness.

To that end, I’ve created a simple video showing the basics of how to create and use your own bump key. All you need is an old key and a file to cut it with. You’ll be opening doors within an hour.

http://www.youtube.com/watch?v=pwTVBWCijEQ

Refinement

I’m no expert at this. Not at lock picking, not at bump keying, not at anything I’ve talked about here. However, I know who is. Check out www.toool.nl/bumping.pdf for some refinements on this technique.

In particular, their “Minimal Movement” technique caught my attention. I was surprised to find that the directions in the referenced PDF file were all I needed to make that technique work. Unfortunately, in my zeal to create the most efficient bump key, I managed to file away too much and ruin the key.

However, and this is the point, making a new bump key is so easy that there’s really no way to guard against it. You can’t control through legislation any more than you can control lock picks (I’ve seen a lock picked with a screwdriver and a paperclip–you can’t outlaw that!).

So try it out, tell your friends. This is an interesting skill that you can master in just a couple of hours, and a great way to impress strangers at parties. More importantly, when word finally gets out that everybody knows how to bump locks, lock makers will have to respond with better security.

Update

I’ve recently added a follow-up article to this one that answers a number of questions and gives further information about how you can protect yourself. The article is (unremarkably) entitled Bump Key Follow Up.

I Need a New Blog.

This one is largely an unfocused repository for whatever I happen to have to say at the moment. And while that was the original intention, it’s not an optimal solution. So, I’ve decided to break my writings up into the following categories:

• Technical articles – How-to’s, explanations, tips, etc. This will probably be the meat of my writings.
• Personal happenings – Sort of a family newsletter idea. Interesting to relatives and close friends; terribly uninteresting to everyone else.
• Snide Remarks – Political commentary, opinions, editorials, that sort of thing.

Perhaps there’s more to add, but that should be enought to get along with. I’m pretty sure I’ve got some interesting stuff to say, but one of my primary problems is that it never seems relevant to the subject of my blog… probably because my blog has no subject. Do my latest .NET coding tricks belong here? How about my musings about some bit of software I’ve been trying out? I don’t know.

I would like to have everything hosted on my site: it sure helps my search engine ratings–my personal website is actually ranked higher than my employer’s; higher than most people’s, for that matter (5 of 10 by Google), meaning that most of what I write about becomes “important” in web searches if it’s not too common a topic.

Since I’m going to be changing things around, I’d be interested to hear about alternatives for my blogging software. I’m using Wordpress right now; It’s nice and all, but I would like a bit more direct control over the content formatting. Less like blogger, more like Slashdot, if that makes sense.

Wiki-based systems are somewhat attractive if you can make the paradigm work. Wordpress is always an option. I expect that this may become my new homepage, so it should be highly customizable with minimal hacking.

More on this is probably to follow once I get more figured out.

I just started a technology podcast I’m calling the “Tech Tricks Podcast.” The first show was posted yesterday the 21st, and runs about 35 minutes. Blogs are great, but podcasts are audio, adding a certain extra bit of interesting-ness.

I’ll, of course, continue to post content here, but please have a look at this new show and tell me what you think.

Show home page: http://techtrickspodcast.blogspot.com
Show RSS feed: http://techtricks.libsyn.com/rss

I noticed my computer exhibiting a strange sort of behavior today. I recognized exactly what was going on, but I decided to take a few screenshots and write about it because most people are unaware that this happens. Here’s how it goes:

Confusion in the Task Manager

You notice that your computer is behaving as though it’s under heavy load, but you can’t find which application is hogging the CPU. You take a look at your task manager and see something like this. Look, in particular, at the areas that I circled:

Here, the process list shows that 7% of the CPU time is being taken by googletalk, while the remaining 93% is spent idle. Those numbers add up just fine. However, at the bottom, we see that 61% of the processor time is in use — that’s a whole lot more than 7%. So what’s using the other 54%?

I know some of you have seen this before and probably thought something devious was going on. Could it be a virus? Perhaps spyware? I’m sure you’ve heard about rootkits–programs that hide their existence from the user. Could this perhaps be a sign of a rootkit?

Well, the reality is a whole lot less exciting. What we’re really dealing with here is bad reporting. Once again, as in the case of the Sony rootkit fiasco, Mark Russinovich gives us the tools to see what’s really going on. One of his free utilities, Process Explorer, gives us a more accurate view than the built-in task manager. Have a look at the following screenshot, and look, in particular, at the first three processes listed. This screenshot was taken soon after the previous one, so the numbers won’t match.

This will all probably make a lot more sense with a bit of explanation…

Interrupts and DPCs

One of the primary responsibilities of the operating system is to schedule time for each process that requests use of the CPU. Most of a program’s run time is spent waiting–waiting for you to type something, waiting for a file to open, that kind of thing. When a program is ready to do something, the operating system schedules it a time slot. Yet even on computers with over a hundred processes running, most of the time there isn’t any process that’s ready to run. The OS schedules this left-over time to process number zero, the “Idle” process. This special-purpose process sends the CPU a HALT instruction that tells the CPU to go into low-power mode and wait for something to happen (like a keypress, for example).

So, we’ve got X number of programs running, plus process number zero, the “Idle” process. Between these, we can account for all the time that’s allocated by the process scheduler. However, this isn’t necessarily all of the time that gets used by the CPU. The OS kernel itself also uses CPU time, but it doesn’t ever have to wait in line for the scheduler. This code, which is usually hardware drivers (like for your video card), runs under a totally different set of rules.

Kernel CPU time is, for the most part, divided into two categories: time spent on interrupts, and time spent on Deferred Procedure Calls (DPCs). These are really two heads of the same beast; the distinction comes from what kind of code you’re dealing with and exactly when that code has to run. The important point is that interrupts and DPCs aren’t part of the normal process schedule, but do take up (some times significant) CPU time.

So, what we saw in the first screenshot was the result of the fact that DPC and interrupt time isn’t reported by Task Manager. At the time of the screenshot, about 58% of the CPU time was being taken by DPCs and interrupts, leaving about 42% of the CPU time for the scheduler to use as necessary. Of that remaining 42% which the scheduler had to work with, 93% went unused and 7% went to googletalk. Some quick math (42% x 93%) tells us that the real time spent idle was only 39%. Googletalk only used 3% of the total CPU time, which was 7% of the time allocated to the scheduler.

Confused yet? Well, here’s the executive summary: Windows’ built-in Task Manager does a poor job at reporting CPU usage because it doesn’t directly report the time that is used by the Windows kernel (drivers in particular). The per-process percentages are actually calculated based on the remaining time after the drivers have already taken their piece of the pie. This can lead to boatloads of confusion when trying to diagnose a problem, particularly when the real culprit is a driver. Process Explorer by Sysinternals does report DPC and interrupt time, thus bringing balance back to the universe.

If you want to find out more about DPCs, interrupts, and Windows process scheduling, check out Chapter 3 of the book Microsoft Windows Internals.

I like RSS; I use it extensively to track intersting blogs, product releases, and now podcasts all using Thunderbird’s RSS feed manager. It quickly became obvious to me that an email client really is the perfect match for RSS feeds, since the content so closely resembles an email message to begin with. I therefore couldn’t come up with any good reason to use Firefox’s RSS-powered “live bookmarks.” That is, until now.

Like most of us, I suppose, I run into a lot of web content that seems really interesting, but I often don’t care to read it at the moment. Perhaps I’m looking for something else, or perhaps it explains how to do something that I’m not working on right now. So that’s what bookmarks are for, right? That may be, but it hasn’t worked too well for me. I’ve been disappointed with my bookmark setup for a few crucial reasons.

The first is portability. I use at least 3 computers regularly, and what I bookmark here I want to be available anywhere. Using a bookmark service like Delicious solves that problem; but it also introduces my other problem: ease-of-use. Delicious is, in fact, about as easy to use as they could possibly make the site. But I want something that no website can offer; I don’t want to have to go to their website. I want complete browser integration, like my bookmarks toolbar. I decided that the only solution was to write an extension to integrate Delicious bookmarks directly into Firefox. Then I observed–quite correctly–that I was far too lazy to do that. And then, and this is the cool part, I realized that Delicious and Firefox developers had already done the hard work; I just have to “turn on” the existing capability.

So, there’s the background; here’s the solution. This solution only works with Firefox, not Internet Explorer. It almost works with the new IE version 7, but Microsoft unfortunately left out some very critical pieces in their implementation.

Delicious will serve up your bookmarks either on their website, or in handy RSS form. This works very well with Firefox’s RSS bookmark feture, allowing you to put a “Folder” of Delicious-served bookmarks right into your normal bookmarks collection, anywhere you might otherwise display your own browser-served bookmarks. That includes my old friend, the bookmarks toobar. So, here’s what you do.

Go to your Delicious account (or Delirious — same exact concept, but open-source), select a tag you want to add as a bookmark folder. (Did I explain that these “bookmark folders” are actually the tags you already use? Well, they are.) Now, do you see the little orange RSS icon in the address bar? It looks like this: . Click it.

When you click you get a drop-down list of RSS feeds to use. You want the feed of bookmarks, not the feed of tags. It will then ask you where to put the “live bookmark” and what to call it. You can pick whatever you want, but I’d suggest calling it something short (like the name of the tag) and creating it in the bookmarks toolbar folder. Go ahead and repeat that process of all the other tags you want quick access to. What you end up with is something that looks quite a bit like this:

Of course, there’s no rule that says you can only use your bookmarks. It works just as well with anybody’s bookmark collection. If you want to, you can create a normal bookmark folder (even on the bookmarks toolbar) and put any or all of your “live” bookmarks folders inside it. If you have a lot of computers to do this on, you can get one set up and then copy your “bookmarks.html” file to the others. If you want to do that but you have no idea what I’m talking about, contact me and I’ll walk you through it.

Finally, you’ll need an easy way to add bookmarks to Delicious. You may already know about this, but Firefox supports javascript bookmarks that actually do something. Delicious has taken advantage of this fact and created a bookmark you can add to your toolbar that adds the site you’re looking at to your bookmarks collection. Go to http://del.icio.us/help/ffbuttons to get instructions for installing the bookmark buttons.

One limitation that I haven’t addressed yet is that each live bookmark collection only uses a single Delicious tag. This means that you may want to have a few tags that you use specifically for classifying bookmarks in your browser’s collection. Since Delicious lets you specify any number of tags for a given entry, that’s not a problem. Also, the other RSS feed that we didn’t use, the feed of tags, is one that lists your Delicious tags rather than bookmark entries. This drops you off on the tag’s Delicious page. This may be useful to you if you use a LOT of tags, of you want to link to someone else’s tags collection. Another limitation is the number of bookmarks it will display under one tag. On my browser, it will display the top 31 and clip the rest–the others just don’t fit on the screen. If you have more than that, perhaps you’ll want to consider a more fine-grain classification system. There is no limit (that I’ve seen) on the number of RSS bookmark folders you can create, so go ahead and create as many as you deem necessary.

I hope these ideas help you make better use of your bookmarks collection. If you’re part of that unwashed 90% who still use IE instead of Firefox, perhaps this will give you one more reason to upgrade to Firefox. Give it a try and you probably won’t go back.