Fist of all I would like to wish all loyal blackbag readers a happy new year!

Just like most people I made some new year’s resolutions. The most important one for you (reader of this blog) is that from now on there will be at least one blog entry per week. And it will always be released on sunday evening (or monday morning). If there is a lot going on maybe it will be even more active here, but on sunday/monday there will be something on blackbag for sure.

And to keep a steady flow of information on this blog, I am looking for informants. That is right, if you have juicy information, or just something you feel would be of interest to the readers of this blog …. please let me know and mail me! (barry at toool nl)

And even tough I like to write about new and inventive things you sometimes will find old news here. But is will be about things I value greatly. Like for instance this posting about the ‘tiger team’.
I read about this great new television show on schneiers blog some days ago, but only had time to watch the video streams today. And boy, I like them!

They cover it all: picking locks, cracking safes using fingerprint powder, bypassing alarm systems with magnets, cloning RF-ID cards from someone walking in the streets, using hidden camera’s, social engineering people, hacking computers, setting up surveillance … the works!

The first two episodes can be found on torrent sites or in the newsgroups (alt.binaries.multimedia: Tiger.Team.S01E01.DSR.XviD-iHT, Tiger.Team.S01E02.DSR.XviD-iHT) …. and I will keep an eye open for new episodes ….

Hope you will be able to download them and … visit blackbag on Sunday!

Who said burglars never pick locks ?!?

‘I’m a lock-pick until the day I die. They’ll have to pry the lock-picks from my cold, dead fingers,’ Joseph Carbone once said.

Old-school jewel thief arrested in Brevard

BY DAVID OVALLE
THE MIAMI HERALD

Condo Joe, slick jewel thief, longtime Miami-Dade police nemesis, bald senior citizen, is back behind bars.

Joseph Carbone, 60, was arrested late Wednesday, this time in Palm Bay for a break-in across Alligator Alley in Collier County.

Deputies say a husband and wife surprised him just after 1 p.m. Nov. 14 as he rifled through a nightstand inside their condo. Carbone escaped and zoomed off in a black Ford Crown Victoria — but not before the couple jotted down his license plate.

”I’ve spent 30 years chasing this guy and he just doesn’t want to quit,” said retired Miami-Dade Detective Michael Crowley.

Crowley and Miami-Dade Sgt. Thomas ”Bulldog” Blake spent decades tracking the old-breed lock-pick thief who targeted high-rise condos and high-end jewelry.

In the mid-1970s, Blake drew national headlines for his pursuit of Carbone, who bragged about wearing expensive jewelry while committing heists, stayed at swank hotels and always valet parked.

For 18 months, Blake tracked Carbone, tailing him while off duty — even distributing fliers to police along the East Coast while on vacation with his family.

His diligence paid off. Alerted to Carbone’s presence, Virginia authorities arrested Carbone with stolen jewelry and a set of lock picks on him.

Blake helped arrest Carbone two more times, in 1984 and 1990.

Carbone was unabashed about his career choice.

”I’m a lock-pick until the day I die. They’ll have to pry the lock-picks from my cold, dead fingers,” Carbone once told Blake.

After a 19-month stint in state prison, Carbone was released on probation in February 2004 but disappeared. He was arrested within a month at the Best Western Floridian Hotel in Cutler Ridge.

Found in his room: some 15 lock picks, jewelry, watches — and copies of old Miami Herald articles chronicling his exploits.

He was released from prison a month later and finished his probation in October 2005. Though he slipped off the radar, Crowley and Blake suspected he had returned to his old ways.

Carbone was again arrested this Oct. 3 in Indian River County.

He was found, deputies say, at 10:25 a.m. trying to open a house door, his hand draped with a white handkerchief. A deputy later pulled over Carbone, driving a Ford Fusion rented in Miami.

Sweaty and nervous, he allowed the deputy to search his brown fanny pack. Inside: small screw drivers, a small pry tool, two white handkerchiefs and a “a large amount of lock picking tools.”

Inside the trunk, deputies found diamond earrings in a box, two pairs of binoculars, a window punch tool, more handkerchiefs — and 12 baseball caps.

”I guess they cover up the baldness,” Crowley quipped.

Carbone was charged with attempted burglary, possession of burglary tools and loitering and prowling. He was released on bond.

Then in November in Collier County, a husband and wife returning to their two-story condo in a gated community saw Carbone through the bedroom window. He was rifling through the nightstand.

”She ran in yelling and chasing him out of the house,” said Collier County Lt. Chad Parker.

Carbone dropped the jewelry and hopped into the Crown Victoria but the couple wrote down the tag number.

That proved his undoing, deputies said: The license plate was registered to him.

Deputies consulted with Blake, Crowley, and Miami-Dade career criminal Detective John Laughlin.

Crowley immediately called a former co-worker at Miami police: William Berger, now the police chief of Palm Bay — where Carbone has been living.

By Wednesday night, the old jewel thief was arrested at his exclusive home by Palm Bay crime suppression detectives.

Even Berger was surprised at Carbone’s stubborn refusal to quit thieving.

”You don’t see these type of guys around anymore,” Berger said.
—
Web Extra: ‘Condo Joe’ arrested wearing pajamas
He was wearing pj’s
Palm Bay police arrested career criminal “Condo” Joe Carbone while he was wearing pajamas and relaxing at home Wednesday night, spokeswoman Yvonne Martinez said.

Palm Bay Police Chief William Berger received a tip from his former Miami-Dade police colleagues that Carbone was staying at 253 Wishing Well Circle, less than a mile west of DeGroodt Road.

Police don’t know if Carbone owned the house or was staying with friends. Carbone doesn’t own a house in Brevard County, according to property records.

About six officers, including the crime suppression unit, arrested Carbone without incident, on a warrant of Collier County, Martinez said.

“They didn’t give him an opportunity to resist,” Martinez said.

He was taken to Brevard County Jail in Sharpes but later transported to Collier County.

“If convicted for the charges on this warrant he could be looking at 40 years,” Martinez added.

– Megan Downs, FLORIDA TODAY
(thanks to Froggy for the link to the original article)

An image can say more then a thousand words ….

I guess by now quite some people are comparing their key to the above image, hoping their key has the same profile as the AX1RP blank (on the right)…..

Why?!?

In cooperation with Kassa TV and one other organisation we performed a little test. In and around Amsterdam we tried to open over 150 bicycles. We got help from random bicyclists, bike shops, and even received assistance from local law-enforcement. Result: we managed to open around 50% of them….

By far the most interesting and intriguing thing we found is that almost all locks we could open used the so called ‘standard key profile’ (blank AX1P). Locks using the ‘mirror image profile’ (AX1RP) seemed almost impossible to open. And we are still investigating why. And we do warn people the flaw might be exploitable in the mirror image profile someday soon … many people are now looking into it, and it could be a matter of time. But for now it seems ok …

One other interesting fact: we managed to open almost all 583 models (over 90%), as well as a high percentage of SL7 and SL9 locks…. if they used a ‘standard key profile’ that is. And a lot of SL9 locks were equipped with a mirror image profile.

Axa by now admits more locks are vulnerable as they expected before, and they will come out with a report themselves any day now. Curious if they found the same things we did (in our relatively small test).

More about this test and the findings (in Dutch) on Kassa TV or http://toool.nl

Today ABUS announced (trough an ad in the newspapers) they will send a free lock to everybody that has a lock vulnerable to the ‘blank key’ method. It concerns some of the 48 and 4800 series ABUS bicycle ring-locks.
Rumor has we are talking over 100.000 pieces. And they will all be replaced by ABUS … for free.

I read a lot of comments on various Dutch webpages AXA should follow ABUS and do the same. People say it is not fair they ‘only’ receive 50% discount on an additional extra lock.

Now, I disagree with that, not completely, but still … I disagree.

People do not seem to realize all ABUS locks were manufactured after 2005, while AXA produced defective locks between 1998 and 2005. So while a defective ABUS lock is at most two years old (or should I say young?), an AXA lock on average is five years old, and in some cases even nine years! As far as I am concerned this is old enough not to be entitled for a full refund. I think it is fair to give people a full refund if the lock is under four years old, but after that … you should be happy with your discount.

Over the last few days I visited many bicycle shops. A lot of them had stories of customers who did the right thing: they upgraded to an AXA Defender lock and simply paid twenty euro. These people took the warnings in the media serious and did not want to wait to have their bike stolen. Most of them did not even blame AXA. After all, it is a freak accident. A rare mechanical defect discovered by the wrong people, probably by accident. And years after a serious test institute certified the locks. AXA did what it could when these locks were made.

Now, I realize not everybody can easily pay twenty euro for a new lock. And not all bicycle shops will change the lock for free, although most feel it is a service to their customers to do so in this specific case. But still, if you have the money, just find a shop that will replace the lock for twenty euro and get it over with.

Having said that, it would be a good thing if AXA gave a 50% discount on the Defender (or Solid) ringlock, as that is what would make most of their customers happy…. and brush off the negative image they are creating by not making this offer …

Some Dutch media picked up on my last posting on AXA bike locks, including one of the most popular consumer television programs ‘Kassa’. Saturday prime-time, 1.4 million people watched Dirk Bolderman, head of AXA bicycle locks, answer the question how many locks might have this flaw. His answer: “Between 1998 and 2005 we produced four million locks. We assume 100.000 to 200.000 might have this vulnerability. And the locks can not be identified by their serial number”….
(video available as 33 MB quicktime or on YouTube)

Some people have serious doubts about Mr. Boldermans claims ….

The good thing is he did promise AXA will offer 50% discount on new additional bike locks soon.

I received mostly positive feedback for pointing out the ‘interesting’ AXA/Abus advertisement campaign. One exception is the Dutch association of bicycle enthusiasts (fietserbond). Normally I sympathize with them, as they are really doing good work for us bicyclists (yes, I ride a bike too). But they are now asking Dutch justice department to take ‘legal action’ against ‘these instructional video’s on internet’. They claim these video’s are criminal because they encourage criminal behavior. Sigh….

Now, there are lots of ways I can defend myself against these ridiculous claims. And I have no concerns on the legal part of it. We have a long list of lawyers that owe us a favor, mainly because of our technical assistance in difficult court-cases (mostly fraud cases were insurance companies don’t want to pay). And legally they do not have a point. Maybe morally, but I think the awareness created by the clip had much more impact then the silly AXA advertisement in the papers.

And I decided to look at their website, trying to learn some more about them. Interestingly their site is filled with information that can help thieves. Take for instance their excellent study (PDF) on bike lock security. Assisted by the Technical University in Delft, they studied a more destructive way of opening locks: using special pliers used to cut concrete reinforcement elements (dutch: betonschaar). Potential thieves are advised what locks to avoid (including images of locks), and how to use the cutting tool properly (Use 65 Rockwell blades and let one of the cutters arms rest on the ground to increase impact). Maybe it is time to arrest the people from technical university Delft now …

Anyway, good luck to them trying to sue Kassa for warning the public on prime time television ….

Update: Volkskrant reporter Michiel Haighton went to Amsterdam Central station to try his luck (video) …. and guess who he met there ?!?

To be continued for sure …

According to an article on the front page of the biggest newspaper in the Netherlands, some Dutch bicycle locks are not worth a dime.

And they are right. There is a trick to open some of these locks in seconds, causing no damage to the lock. In the article, Dutch police advises to always use two locks to secure your bike (and better lock your bike to solid objects too).

Yesterday I learned manufacturers of these locks were going to warn the public using nation wide advertisement in newspapers. Curiously I looked in the newspaper today, and had to look twice. But I found the add on page 26 (of the digital telegraaf edition). I expected the add to say something like: Warning, possible product failure. Instead it said: A new phase in security. First thing the add does is … advertise the new AXA Defender RL as a secure lock. Second it mentions ‘the police discovering a new method of manipulating locks’. This ‘by the police discovered method’ happens to work on ‘some older models SL7, SL9 and 583’. Needless to say police did not discover this method. If they did it would (still) be a big secret. Instead of the police, the guild of bicycle thiefs discovered it. And police found out about it that way. I am real curious if other brands are affected by this too.

The AXA website covers the problem the same way as the ‘ad’ in the newspaper. Instead of making a serious effort to warn their customers they just mention on the side of the page: AXA advertisment, a new phase in security. Not something a concerned customer will click on straight away.

I am curious were this is heading to, as this story shows great resemblance to problems Kryptonite had in the US. Someone found out these locks could be opened in seconds, without any damage, using just a bic pen. That story started with some denial, but ended with Kryptonite publicly making a lock exchange offer. I am curious if AXA thinks it is going to get away with this, or if they are going to make the same offer to their customers as Kryptnite did….

I have know for at least a week there was a problem with the AXA locks, without knowing the details. My locksmith friends were swamped by kiddo’s asking them for SL7 blanks (really, for a science project at school sir). And when I visited the bicycle shop around the corner they told me quite some people had their bikes stolen….

The bicycle shop gave me two locks from their garbage bin for me to experiment on. It only took me a couple of minutes to figure it out and open them both. And since every bicycle thief in the Netherlands already knows how to open these locks, I do not mind sharing the trick with you (18 MB quicktime movie or youtube). And please do not complain about me teaching malicious people how to open locks. Complain to the manufacturer of the lock that makes locks ‘that are not worth a dime’ ….

Update 08-12: Abus does not only seem to have the same problem as AXA, it looks as if they also share the same marketing people. The head of the ad in the newspapers today says: New generation Abus bike locks. And it does mention some ABUS Protecta 48 and 4600 can be opened using an ‘illegal method’. Who’s next?

It is amazing what can happen in the course of just one weekend. The list of interesting things happened in Sneek is just too long, so I am just going to highlight a few here…

“Lock Pathologist” Peter Field his presentation was very well received.

And in a weekend that is about breaking records, this presentation broke quite a few! Most obvious record: the longest presentation ever at a Dutch Open (almost 5 hours). But also it received the longest and loudest applause ever (at least 5 minutes straight!). A great contrast to another record: that of the one presentation were the audience was completely silent. All in all one of the most interesting presentations at the Dutch Open ever. Thanks again Peter!

Another great class was that of Paul Crouwel on combination lock manipulation.

Paul prepared this class with great precision and besides arranging plenty combination locks, he had some tools and charts made to make manipulation more easy. So I would not be surprised if we will have combination lock championships at the Dutch Open in the near future, as some of the attendees became very enthusiastic about opening combination locks this way. And already Paul is receiving requests from other organisations who are interested in attending his classes.

Of course there was a lot of lockpicking going on in Sneek. I have seen some exotic tools, ranging from home made Abus plus picks, to the famous sputnik to the new mul-t-lock opener and more. But what everybody was there for was the Dutch Open championship. Under strict supervision of referee Ivana Belgers (toool eindhoven), Julian Hardt managed to win the open again (just like in 2003).

Peter Danilov became second, followed by André Matuschek. Too bad Nigel Tolley from the UK became fourth, and Eric Schmiedel of Toool USA became fifth. In total there were 42 people attending the open this year. At least half of them good enough to make it to the finals.

And then there was impressioning:

Manfred won his second impressioning championship title this year. I became second, just like two months ago in Germany.

Manfred opened the lock, setting a new impressioning record of 5 minutes and 19 seconds. It took me just a lousy 28 seconds more: 5 minutes 47. Oliver Diederichsen became third in 6 minutes and 20 seconds. And some background info: there were a total of 22 attendees of which 11 managed to open the lock within the hour. Walter Belgers was last in 58 minutes and 39 seconds (just 1 minute and 21 seconds before the end of the game!). And it was fun to see many people picked up on impressioning and open a lock for the first time this way in Sneek.

The new hostel in Sneek also was a great success. Professionally run by Gea Schmidt and her staff she made everybody feel at home. A small minority was un-happy about the non-smoking policy, but besides that I heard no complaints.

Again, the list of things that happened is too long to fully mention here. Jaakko’s Abus presentation, the interesting things people shared, the lack of time for some scheduled presentations …

So I would like to end here, thanking all that helped make the Dutch Open 2007 a success. The list of people to thank is also too long, as almost all attendees helped out one way or the other. Thank you all, and … see you next year!

Next week we will be picking in the snow…

The ‘Mastermate bouwtechniek dagen’ will be held in Snowworld Zoetermeer this year, and we will be present to teach the audience the noble art of lockpicking. There will be a big table with some qualified Toool instructors and plenty of locks and tools to get you started. So if you live in the Den Haag/Zoetermeer area come visit us Tuesday or Wednesday November 21/22 (from 13:00 to 21:00).

Some of the Toool members will be trying to improve their best scores in the ongoing 2007 competition, or will use the time to practise for the Dutch Open lockpick and impressioning championships in Sneek November 23/24/25….

Whenever we do lock-pick or impressioning championships we always make sure to keep the original keys far out of sight of the participants.

The reason is a two second peek of the key is enough for an expert to ‘read’ it. After that he/she knows the (approximate) key combination and picking or impressioning becomes much more simple.

I even hear rumors surveillance teams try to make photographs of keys visibly worn by suspects to give the NDE operator a head start ….

And in some prisons the guards carry keys in a way the inmates can not see them.

People that are concerned with others ‘reading’ their keys can have a look at a new product called ‘key port’. It is not a cheap solution, but it is effective and sure makes a great Christmas present ….

Last month we heard former FBI agent H. Edward Tickel Jr tell the amazing story how he did some blackbag operations, working from inside a cardboard box.

Well, it now seems not only the FBI was clever enough to come up with this method.

Some blackbag reader attended me to the following story:

Fri Oct 26, 4:29 PM ET

TORONTO (Reuters) – Two men and a woman who used an ordinary cardboard box to break into over 200 Toronto area fast-food joints were caught by lucky timing, police said on Friday.

The trio arrived at their target with an oversized cardboard box, which they propped up against the restaurant’s front door. One person hid in the box and used specialized tools to break into the restaurant, while the others stood guard with a police scanner and two-way radios.

“They were able to, by experience, literally remove the glass from the pane of the door and then set the glass aside,” said Detective Sergeant Reuben Strober of Toronto Police, adding that the burglars managed to disable most alarm systems at the same time.

Even if the alarms were triggered, the suspects got away before police arrived. Over the course of their crime spree, they made off with some C$250,000 ($260,000), police said.

Strobel said the three were finally caught after police responded to an unrelated call in the neighborhood.

They face 355 charges.
—

Curious if these guys had an intel background ….

And it is a good thing they are already used to living/working in small spaces, as with 355 charges it might take them some time before they get out of their small little cell ….