 I want to talk about with you today is what if logs could talk and what kind of stories would they tell? So first, talking with logs, isn't that a kind of silly? Yeah, maybe it is. But I'm taking here an idea from the chip whisperer people that talk with chips instead of logs. I could also talk a lot about history, different types of logs, and different types. So for example, a log in a certain place, what kind of stories would they over here? But that might be a talk for another time. What I want to talk about is side channels. And that's unintentional information leakage. Specifically, I want to talk about pin tumbler logs and safe combination logs. But side channel analysis and this unintentional information leakage comes from the world of cryptography, where you have a theoretically secure system. But just because people implement it in the real world, it's broken, or it's often broken. So I was already introduced, but let me just introduce Tool, the open organization of log pickers. It's a hobby club of log enthusiasts started in year 2002. We have 50 members here in the Netherlands at the moment. But we have chapters across the world. They are quite active in the United States, and in the UK, and in Australia. Here in the Netherlands, we have weekly log picking sessions. Once every other week in Amsterdam and in Eindhoven. And we also have a log picking village at Clear Forions. So before we continue, I want to introduce the rules of log picking. And the reason for this is just that ethics is very important to us. So pick your own logs. If you want to pick someone else's log, please ask their permission. And when a log is in use, just find another log to pick. So don't go to pick your own front door log, because you might break it. Or you could summarize this to only pick your own logs, only pick the logs you own, do not rely on, and can afford to be without. The specific logs I want to talk about are Pintumler logs. And this is a very old picture of a log back in the 1850s. But it's still the same principle today. The logs got better. The tolerances got better. The logs got also a lot cheaper. The most common form is this euro cylinder, where we have a log at each side, at the inside of the door and the outside of the door. And it's connected together with a cam. In this presentation, however, I will use the picture upside down, as where we have the yellow. That's our core. And then we have our Pinstech of two pins. But it's all the same. I'm just using the log upside down. So when I have my log, then I have the circle. It cannot rotate because the blue pin, this is a driver pin, is in the way. The red pin touches the key. And the key lifts it up to the correct height. And this height we call a shear line. And then it allows to rotate. Here's another view where I took a slice of a log with five pins. Here we have it without the key. And with the correct key, we can lift the pins to the correct heights and allow the core to rotate. And then with the wrong key, it shouldn't allow it to rotate. So the first pin is correct, and the fifth pin is correct. But the second, third, and fourth pin are not correct. So how can we now exploit in this log? We have a few different ways. And the first, and foremost, is the binding of the pins. Then we can also see stuff with the rotation of the pins. And there are a few more. So if I have my cylinder again, then I use a turning tool, just a piece of bent wire, something like this. And I put slight pressure on the core. If I want to rotate it just by applying a torque on the core this way, what you would expect is that all of the driver pins prevent lock from rotating at the same time. But that isn't true in practice. In practice, we only find that one of the pins prevents a lock from binding first. And here we often go for a graphic with wonky pins. We draw a line through it. And you see that some pin chambers are off-center either way. But this might just be a picture. But this is an actual lock. Sometimes these locks are just so poorly made that it's actually visible. But even if these differences are sub-micron, then you could still exploit it. These two pictures are from my friend Artie. And here we have a different core. This is already a lot more pristine, a lot nicer made. But still you can see around the holes. You can see some damage, some imperfections. And these were acts the same as offset pin chambers. The same goes for the pins. These are quite well-made pins. These are nice, round, and sharp. But you can still see some deformations and some rounded edges there. But these are just two very nice examples. There are also locks that look a lot more like this. What we are looking at is a cast-sink core. This is one of the cheapest ways to make a lock core. And then pins like this are not that nice. And will, of course, give you different feedback. So now we go for to pick the lock. Again, we have a turning tool. And we put slight pressure on the core. Then we use our lock pick. And then we start looking for through the lock. And at some point we find that pin four is harder to push up. This is our binding pin. We push it up. We hear a click. And we feel the core rotate just ever so slightly. And that traps the driver pin up above the shear line. And at this moment, another pin starts to bind. So it's just a question of rinse and repeat. Find the binder. It gives a click and a rotation. And then you want to find the next binder again. Third pin doesn't bind. The fifth one was. And at this moment, the lock would rotate and open. So what tools do we need for to make this happen? You can bind big sets like this. But usually you just want to start with a very small set. This has all the things you need. It has a few lock picks and a few turning tools. And that's enough to get you started. There are a lot of different shapes, lock picks. And each has their favorite. You could call it a religion. But for us, for a tool, it doesn't really matter what kind of lock pick religion you follow. We accept all of them. And arguably more interesting than the lock picking themselves are the turning tools. If I were to make a lock picking set, then I'd rather have 20 turning tools because all different kind of shapes work in different types of locks than to have one turning tool and 20 different lock picks. So how do we use these lock picks? Well, if you hold it like this, then it doesn't really work for lock picking. By the way, it would be to hold it like a writing supplement. And for me, this one works. This gives me the most control over the lock pick as it gives me nice control over the picking tip. As for the turning tool, you want one that fits the keyway very nicely. So this one is too small, too thin. And it falls in the keyway and blocks the access to the pins. A better one is already this one. This is a thicker turning tool. And it fits very snugly in the top of the keyway. And this gives all the access we need to the pins. Notice also here I'm using my index finger because it gives me the best leverage at the best control over my tools. If you were to use your lock pick, your turning tool like this, then it wouldn't give you as much control as you would want. And you get quite cramped and you get frustrated. And then you might not pick this lock. Just as a quick demonstration, here I have a lock and a turning tool. I put it in the lock. In this case, I'm using my thumb, not my index finger. And when I start to pick locks like this, then it doesn't give me much control. So I want to have a very small loop. My hands are touching. And this gives me a lot of control over a lock pick. This demonstration effect, OK. It does work. It's just hard to demonstrate. So that was just the start of getting started in the lock picking. But what other feedback can we get from the lock? Well, this lock has been picked. So maybe, I don't know if this sound can be picked up. But the pins are loose. So you can hear this. So you can hear your progress. We have already seen that we have seen the non-binding pins, just a pin that just springs back. We have seen the binding pins. And we have here the loose key pins. There are two interesting ones. One is where the driver pin is at shear line. This is where the key pin is loose. But you can get a slight wobble of the driver pin because it is at shear line. And the other one is where we overset a pin. So here we have the same lock picking slides as before. But in this case, I am pushing my binding pin too far. And my key pin is currently at shear line. So no matter how far I push the fifth key pin, it will never get unstuck. So the only way to get back your progress is to release pressure on your turning tool. And hopefully just reset one or two pins. But sometimes it resets the whole lock, where it gets interesting. And this is also a bit beyond the scope of this presentation. It's where we have security pins. These are very pristine. These are very sharp, sharp pins. And each pin will give you different types of feedback. As we don't know the real names, we usually go quite descriptive. For example, the second from the bottom and the fourth from the bottom. It looks like a torpedo. So we call it the torpedo pin. But because it's a key pin, it shouldn't interact with the lock picking at all unless we overset the pin. There are a few more examples of different types of pins. And most notably is the third and the fourth pin. Fourth driver pin. And because it has rings on top of it. So usually these things are not necessarily anti-picking. But it does give us a nice challenge. So let's now go to mechanical combination locks. Specifically, I want to talk about spring lever combination locks of the type group 2. Where the group is just how difficult it is to manipulate. Either it's two hours manipulation resistant or better. The target we have is the Sargent Greenleaf 6730. This is one of the most common locks of this type. And it's not that common here in Europe. But it's more common in the United States. It's a three wheel combination lock. And it has a theoretical one million combinations. But in practice it's a lot less. Here we have the lock. I mounted it on a nice piece of wood. But you could find this mounted on a safe. You have the dial ring that's mounted to the safe. And you have the dial which has the numbers 0 to 99 on there. And you dial the numbers to the indicator. On the back of the lock we have the locking mechanism. And this is already quite complicated. But what we have is we have a bolt. We want to retract the bolt. But the lever doesn't allow us to retract the bolt. So what we do is we dial the correct combination. Then the lever can fall into the lever pack. And move backwards and retract the bolt. If you take a look at the wheel pack, we see there are three wheels and one cam. And each wheel has a gate. The cam then is connected to the dial. So that's the only thing we can really manipulate on this lock. The cam has this protrusion. And it's after one rotation it picks up the next wheel. And with these bits, after rotation of the wheel, it picks up the next wheel. After rotation again it picks up the next wheel. For the lever we have two interesting parts. One is the nose and the nose rides over the cam. And we have the fence. And the fence drops into the gates of the wheels. Something like this. This is just the normal operation of the lock. This isn't anything secret. When we want to open the lock, we first need to rotate the dial four times to the left. That's counterclockwise. And then stop at the first number. Then we dial right three times to the second number. Then left twice to the last number. Then right past zero to open the lock. If the lock doesn't open, then we didn't dial the correct combination. So what you can already do with this is build a robot and start dialing every combination. It's done, but it's also quite boring. There must be a more interesting, a more clever way of defeating this lock. So what's the side channel? Well, we can indirectly measure the wheel's height. And here we say that a lower reading is a better guess. So what you can imagine is if I put all gates under the fence, then that's the lowest reading possible. But if the reading is lower than before, then maybe I have some gates under the fence. So how do we measure the wheel's height? We do this by finding the contact points of a lock. And these are usually around 5 and 15. So we have the cam and the nose falls into the cam. Then while dialing, the cam comes around again and pushes the lever nose out of this hole. And this is what you can feel, where the right contact point is a nice gentle slope and the left contact point is quite a solid spot. For this one, I've also created some graphics where gray is our wheel and the ball is our lever nose and the ramps are contact points. So we can measure the position of the right contact point. We can measure the left contact point and calculate the distance. Then when we have a better guess, our wheel pack is lower, and we measure right and left again and again have a distance. And it doesn't take much to see that the green line is shorter than the red line. So how is this in practice? Here I have a combination lock. In this case, it's a cutaway, so we can see more of the lock. And I've not placed any gates under the fence. So this is the highest reading it will ever give us. And we see that on the contact point reading, we see that the value is 13.25. But now I do exactly the same and I put a gate under wheel 3. And now the reading is just ever so slightly different. It reads 13 at this moment. So again, this is 13.25 and this is 13. So these differences are so small, it takes quite some precision. We do this usually by our eye because we think this is a fun game, fun challenge. But you could also amplify this with electrical means. Traditionally, we would do one eighth of a digit, but if your eyes are more calibrated to one tenth of increments, that works as well. But you want to stick to the same measuring scheme every time. So how can we get this information from the lock? Let's perform an algorithm and we call this algorithm all wheels left. For this, we dial four times to the left and stop at a number. We call it N. Then we measure the contact points. Then we dial left to N plus two and a half. And then we measure the contact points again. We do this as long as it takes to complete the graph. It doesn't take long, sometimes it takes. Ten minutes, sometimes half an hour. But you want to have a complete graph. Without a complete graph, it will just mess up your manipulation. Here's an example graph that I dialed every ten, every five steps. And what we're looking for is the global minimum. And that's for this lock at this point. Now we know the global minimum. What's next? We need to figure out on which wheel this global minimum point lives. And we can do this by process of elimination. We know our original dialing sequence is 80 left, 80 left, 80 left. And I'm just changing one of them to 70 right. And what we see is that if we don't change the last wheel, we find the lowest reading. So our 80 left is on our last wheel. With this information, we can then continue making more graphs. We don't know if 80 left on wheel three is our gate. But we at least know it's a better reading than we had before. So for this one, I'm dialing right, right, 80 left. So that's four times to the right, two times to the left, to 80. And then to the right again to get my contact points. And this is then the graph that I got. Where this spot is the most interesting. Because again, it's the global minimum. Again, we perform the same test as before. We just have less variables. So we only need to find, we only need to dial it twice. And we found that our second number is 50 right. At this point, we can make more graphs. We can start reinforcing the last number because we are such confident about our finding of the gates. That we say 50 right and 80 left arcades. And that's also what I did to finish this manipulation process. So we have brute forcing left, 50 right, 80 left. Out of the lock opened at 20, giving us the solution. So what you want to do is to note the dialing direction. If you find a global minimum by dialing left, then keep this number the same. Because 80 left and 80 right might not yield the same result. Also, you want to be very precise and consistent. You want to check every n numbers and digits. And that depends on what lock you're working with. If it is sloppy tolerances, then two and a half might be fine. But for some locks, one or one and a half or two might be better numbers. If you're inconsistent with either the dialing or with the graphing, you will also mess up your data. You will introduce a lot of noise. And the last one, the most important one is lower numbers are good, but it doesn't have to be a gate. So if your graph shows you a lower number, then you're making a progress. Let me just demonstrate this one with a much more difficult look. So here I performed an all wheels left operation and I found 80 as my lowest number. But it was quite inconsistent and I couldn't really feel if it was really 80 left. So I also performed an all wheels right operation. So it's just the same as the all wheels left just by turning the other direction. With this graph, I found that 75 was an interesting spot. And I chose it as my number and I found it lived on the third wheel. And I performed the operation left, left, 75 right. And I got this graph. So again, it's a lower global minimum. So I'm making progress. I chose 65 as my first and my second digits. And I redid my graph by rotating to the right. So that's 65 left, 65 left. And then make a graph to the right. And I found a new global minimum. I then found that this global minimum was only three. Again, by the process of elimination. And made the graph left, left, 80 right. And this gave me a very nice global minimum around digit 50. This then lives on the second wheel because of the process of elimination. And then I created a graph starting all the way at 100 down to zero. And the lock opened at 20. But with every graph, I got closer. This one took me quite a long time. More than a couple of hours over several days. Instead of just half an hour for the other one. So don't give up because each graph got us closer to an open. If you want to play with this, we have some locks at the lock picking village. Both for lock picking and for save manipulation. You can also just buy safe locks like the Sergeant Greenleaf 6730. They go for around 100 euros. But you have to quite likely to import them from the United States. One alternative is to get a virtual practice lock. And these are quite cheap. This is just a program. It's not a game. It's sold as a game. You can get it on HIO or Steam for just three euros. So you get a nice box with a virtual lock on there. And there are different modes you can play through. But this will already give you a lot of the same feel and the same process as a real lock would give you. The only difference is that this virtual lock is too perfect. So it might not... So it might be a little harder to manipulate. What this virtual lock also allows you to do is to get more tools out. So it has X-ray, it has magnification. It also has some gyroscope, gizmo that gives you very precise readings. And also some spectrogram thing. It's definitely a nice tool. And it also allows you to do dumb things like this lock with more than 20 wheels. So let's wrap this one up. If you want to know more about manipulation, I would suggest, of course, coming to the lockpicking village, but also reading the book, A National's Knocksmith's Guide to Manipulation. And if lockpicking is more your thing and it caught your interest, then definitely get a copy of LockSport, a hacker's guide to lockpicking, impressioning and safecracking, when it's out, hopefully, in a couple of months. And notable people that wrote this book are, of course, Jos Weier. You might recognize him and Walter Belgers. So this is the end of my presentation. I noticed that they talked way too quick. Thank you. Thank you very much, Jan Willem. It was really interesting. It's the first talk I've seen on manipulating safes in this way. Are there any questions? Please use the microphones in the middle. Nobody has questions. I have so many questions. Hello. That was a very nice talk. Thank you. I was wondering, is there a certain brand or certain type of lock that you really want to get? That's a good question. I'm quite a lock collector, so I look on eBay all the time. And at the moment, there aren't many locks that I don't have, except for very, very expensive locks. For the safecracking, for example, there are a few government restricted locks that they just won't give me. I had a question about the pins for the tumbler lock. You said that one of the pins had a disc, but wouldn't a disc make it more easier to lock pick? Because then you have two different distances where you can get it in a gate. One question. I'm taking the slide. This one? Yes, correct. So what is third and fourth pin has? It has the discs are movable, but there's still one element. So you still have to set the whole element in its entirety, but every disc will give you as if the pin was either not binding at all or it gave other feedback. Thank you. Thank you for the talk. Really interesting. It's not an interesting question though, but I do want a bit of advice. Can you recommend a good lock for my bike? Can I give an advice on securing your bike? Well, that depends on your treadmill. So what kind of bike thief is after your bike? There are definite answers. And the most easy one might be just look at what your insurance recommends. And then if you don't trust them, just one up them. It's the ART standard where three is for bikes and four is for motorcycles. I don't know the exact numbering screen, but if you have ART five, then this bike goes nowhere. You were talking about the combination locks, and you were talking about having like a half set on a gate. And I was wondering how that works because as I understand the combination locks, all the discs are the same size. So even if you've got one gate in the right place, isn't it supposed to not drop anything? Or is it just the same as the tolerances that you mentioned in the tumbler locks? So if I get your question correctly, if you have more wheels and one of them shows a gate and another does not show a gate, then would it not show you anything? Yes. That's again if we live in a perfect world. So this fence is just one piece of metal soldered on another piece of metal. And this might be not at the correct angle. Also these locks are made to function in the real world. So they might not be totally, totally round. Or there's so many tolerances. And in practice it works. But sometimes you find a lock that's a lot harder to manipulate than another lock. And this is because then the tolerances were way smaller? Either the tolerances are way smaller or it's just a lock of the draw where the stars aligned and this one's good lock was produced in this factory. I see. Thank you. If there are no further questions, I have one small question. I understood that for tool you need two references. Can you read the other? Do you need references for tool? To become a member? No, if you just email us at infoedtool.nl or visit our website or join our Discord or join the Lockpicking Village and mention that you want to become a member, that's definitely possible. There has been, we don't want everyone to become a member but everyone here in the room has already shown such interest in the topic. Okay, thank you very much. One final round of applause for Jan Willem.