Hacker News new | comments | show | ask | jobs | submit login
Killer escaped prison after being issued picture of master key (news.com.au)
233 points by emhart 1494 days ago | hide | past | web | 94 comments | favorite

> "Those keys were a dead-set copy of the keys that we had. The key he copied was in the shape of a figure E, which was the master key."

> The officer said it was Heiss's fellow inmate - fellow murderer Shane Baker - who made the key. He said Baker was a jeweller who had jewellery-making equipment in his cell, and used this to work on the key.

This has "I don't know what I expected" written all over it

"The Prison Service has been forced to spend £250,000 on changing every lock and key in Feltham young offenders' institution after a TV news crew filmed a prison key during a media visit last week."


Diebold voting machine key copied from photo at company's own online store


I heard about a similar incident in the Santa Clara county jail. In that case, the inmate, ironically facing a federal counterfeiting currency charge, managed to make a skeleton key to the jail by cutting plastic from a jail-supplied Rubbermaid bin that was supposed to be used for storing personal property. The inmate got the general shape of the key by looking at it as guards passed by, then perfected it over a period of weeks by sticking it in the lock and attempting to turn it. The lock made marks on the plastic where the teeth were supposed to go. The inmate was caught and all plastic bins removed from the jail after the key was finally good enough to open the lock, which set off an alarm.

Why did the alarm was set off? Do these locks work only with a key that passes through electricity or have some other built-in secondary check? Really curious.

Apparently there are parts of the Santa Clara County jail that are very old. This occurred in a dorm-style housing unit, and the key he made opened a stairwell door (the door to the stairwell being inside the housing unit, which is how he was able to repeatedly test without scrutiny). The door was alarmed and went off when it opened. Most modern jails don't use skeleton-style keys, and the doors are opened and closed electronically, but the part of the jail he was in was decades old.

I think he was asking that if the guards can use a key to get through without setting off an alarm, why did this guy's key set the alarm off?

I'm not entirely sure, but I think that the door was not ordinarily used by anyone, something akin to the jail version of a fire exit. I believe it was set to alarm regardless of who opened it, but if an authorized person opened it, presumably they would let whomever receives the alarms know about it in advance and not send in an army of officers.

Presumably they disable the alarms before the guards open the doors, and enable the alarms when the prisoners are unsupervised. Like how you enable your house alarm when you leave, and then disable it when you return home.

People need to realize that the shape of your key is pretty much a "password". Letting your keys lay on a table in open view is akin to leaving a piece of paper with your password out in open view.

Exactly. Reminds me of this:


"UC San Diego computer scientists have built a software program that can perform key duplication without having the key. Instead, the computer scientists only need a photograph of the key."

Research turned commercial: http://shloosl.com/

Copy any key for $5 with a picture from your phone and they'll mail it to you.

So then they have my address and keys to it?

Only if you gave them your address and the keys to it. If you gave them a different address or different keys, could be harder...

A bit harder - use of a telephone book would probably solve a fair portion of cases where they didn't just get straight in (assuming you paid with your own credit card and so they had your name).

But if you pay by credit card, that applies to any key copying service, online or not.

Old-fashioned key copying services don't necessarily have the opportunity to make their own copy of your key.

They could just sneakily make a picture of your key.

> So then they have my address and keys to it?

Right, which means if your house is burgled within a reasonable timeframe after you use the service, they're prime suspects.

It's a pretty big risk for them, I should think.

>It's a pretty big risk for them, I should think.

Yes, so all it takes is somebody to rob THEM, and get keys and addresses...

Burglary all the way down.

> Yes, so all it takes is somebody to rob THEM, and get keys and addresses...

Which would legitimately take the heat off of them, so it would be in their interests to fake a robbery of themselves not long before their real robberies of others begin.

Ah, but I'm just getting started! If you wanted to rob houses and frame them, just rob them first. The police and everyone else will think your real robbery was faked by the company, as per my previous paragraph, so you get off scot free.

Robbception, it would be called.

Nope, no possibility of abuse there!

It's strange, but I really find it hard to come up with a legitimate reason for this service - I think there's a place that'll copy my keys down the street from me. It would take me less time to get my keys copied there on the way home than it would to actually check my mail when I get home.

I find it hard to come up with an illegitimate reason for this service. A thief could finagle a picture of your key, send off to an online service using information that could easily be traced back to him, then use it to open your door. Or he could just pick your lock in less time than it would take him to fill out the order form.

Or if he isn't good at picking, the thief can take the picture and just make the key himself with something like this https://dx.com/p/advanced-key-cutter-16425

Or smash your window in far less time than it would take to pick that lock.

It's also very possible to abuse a local, bricks and mortar key duplication service.

To abuse the online service, you need a valid credit card not in your name or traceable to you, a valid anonymous dropbox to ship to, a clean shot of the key, and an anonymous or well concealed IP address.

To abuse the local service, you need the key, some cash, and about 20 minutes.

Neither is immune to abuse.

As the consumer, it is way easier to be abused by the online service. First let's assume those running the service are perfectly honest. Now let's assume they practice security about as well as the average small online retailer. Now let's assume a hacker breaks into their system and downloads a full dump of their database. Now that hacker has many (hundreds? thousands?) of key photos matched directly to addresses and likely tons of other PII.


> Now let's assume a hacker breaks into their system and downloads a full dump of their database. Now that hacker has many (hundreds? thousands?) of key photos matched directly to addresses and likely tons of other PII.

In theory, they could encrypt the data with a public key before it ever hits the database (or any other permanent storage) and ensure the matching private key is never stored on the same computer.

In theory there are lots of ways they could secure the data, my point was that in the non-theory real world most online companies fall way short of good practices for data security.

This is why barely a day can go by these days without some some story popping up on HN about "Company XYZ was hacked, customer data exposed".

According to the website, they redact your shipping address a day after the duplicated key ships. So no need for a dead drop.

Plus, you could use a VISA prepaid card.

Right, my point is that neither service is ironclad secure. (By the way, loading and activating a prepaid Visa anonymously is more tricky than you'd think post Patriot Act - I'd venture criminals would more likely just grab a stolen CC).

Interesting about the redaction. Presumably that's to guard your home if the picture is ever compromised?

Do you have more details about prepaid VISAs and Patriot Act? As of a bit ago, you could just walk into any store and buy one with cash.

Not sure if the PA is what caused this, but the last time I tried to set up a prepaid card a couple years ago, (one of those off-the-shelf drugstore ones), the actual card could only have $100 put on it until I filled out a form online that required all kinds of PII, including the requisite SSN.

The prepaid card only worked in person too, never online. (I assume they did this by having a bogus or placeholder name attached in their database, which would fail any basic verification checks done by an online seller, but work just fine at a local retailer.

Agreed. Even though the site says "requires a credit card" as some type of security measure, it doesn't secure anything. What are the chances that if your locked item is opened, you would trace the theft back to this service to notify them?

Slim. You'd have to catch the perpetrator first and then figure out how he got a key.

99.99999% of people don't even know a service like this exists let alone to check if their house key was duplicated there before it got robbed.

In the U.S., the main deterrent against robbery is jail time. Most houses can be broken into with an elbow. Locks prevent silent entry and make it slightly harder to break in, they don't secure anything.

This. Locks keep honest thieves out. I don't know of any house that I couldn't gain entry into in a few minutes, without damaging anything, including my own.

Without damaging anything? Do you mean lock picking? Or you live in a neighbourhood where people leave their doors open?

No, it's often much easier than that. I do live in a pretty quiet neighborhood, but that's not what I meant either. There are a couple of things. One is that people tend to be vigilant WRT their home's primary access, but pay less attention to side-doors, back-doors, garage-doors, and windows. So you can often find one of these left unsecured. The second is that the latches on windows are notoriously bad WRT their ability to stay closed. They can often be dislodged by just bumping them gently while applying pressure in the right place, even when installed correctly. If they were installed incorrectly, or just carelessly, or if the house has "settled" windows can be even easier to defeat. Another weakness of windows is the glazing, sometimes it just slips out, or can be easily pried loose, sometimes it takes a screwdriver. Until very recently, little attention seems to have been paid to the security of windows in residential construction. There are a few other more-foolproof entry methods that I know that do little or no damage, but they aren't the sort of thing that a burglar would do.

PS I learned most of this at Texas Fireman's Training Academy (and just paying attention to my surroundings), in case you're wondering.

I can see a legitimate reason.

This allows you to keep a digital copy of your key. In the event that something unexpected happens, like you are in a different state and you misplace your car keys, you have a digital backup that can be turned into a physical key.

Every modern car I've bought has a chip in the key that it won't start without.

They are enough to let you inside the car, though, which is enough for (I would assume) the majority of locksmith calls.

You buy expensive makes then, I really hope you know that you're way above what most people spend on cars. Most cars don't have those chips yet. The only sort of mainstream car I've seen with a chip in the key is the prius, which starts in the low 20s new.

My 1998 Honda Accord had a chip... I don't usually cite Wikipedia links, but... http://en.wikipedia.org/wiki/Transponder_car_key

Come to think of it, I've only had a Mazda the last 10 or so years. Maybe it's just Mazda then. Their bottom-line Mazda3 (currently 16.7k MSRP) came with it when I bought one 6 years ago too.

Curious. I don't think you could buy a mainstream car in the UK without a chip.

>I really find it hard to come up with a legitimate reason for this service

Do you really find it hard? Let me help you out then. First, there are people who don't live next to a locksmith. Second, there are people who drive home instead of walking, and an extra stop while driving certainly takes more time than checkin mail. Third, there are people who check their mail regularly anyway. Which is pretty much everyone.

That leaves us with all of the people who walk home, live next to a locksmith, and don't check their mail regularly, who can't make good use of this service.

I had a locksmith come and up my door.

Didn't ask for ID, didn't ask for _anything_ other than payment and what door I wanted to open.

So you don't need this service, you just need to pay a locksmith.

Or learn to do what the locksmith does, which isn't all that hard for many locks.

Yes! I remember this was on HN a few days ago and thought it relevant but I couldn't remember the exact name so I googled shoosl+keys+copy+delivery+startup and a variety of combinations based on that but couldn't find the service online. They really need a memorable name.

This is made easier by the fact that key bitting is discrete. The software doesn't have to measure the exact depth of the valleys; it just needs to know which of the seven (or whatever it is for that particular lock) possible heights it's closest to.

I'm not even sure why you need a computer for this - maybe to print out the picture. As mentioned elsewhere in the thread, the heights are discrete, and you could figure out how to reproduce the key with a ruler and a pencil.

With 3D printing coming mainstream in the next decade, combined with high resolution cameras being common on smartphones, it's going to be important to start hiding the teeth of keys.

Already here: http://eclecti.cc/hardware/physical-keygen-now-for-disc-deta... Even higher security locks can be pretty readily replicated.

This could be made much harder both for accidentally seeing the code and for copying if the usual keys got inverted. As in - make them round pipes like the gerda ones, but with holes on the inside instead of outside.

Not only would a photo of it be useless, they'd be also much harder to print (still fairly easy to cut though, but you'd have a hard time doing it manually - it would have to be done by a machine precisely measuring the movements in most cases).

This is why keys need foreskin

Most new prison keys have this feature, I think. It's some sort of retractable sheath of sorts that hides the profile of the teeth.

And some high-security keys don't have teeth at all. They have dimples of varying depth on the side of the key serving the same function instead. These don't jot out and are very hard to copy even photographically.

Key condoms!

Safety is no joke.

The non-intuitive nature of the distinction between physical artifacts and the information they contain seems to be the source of a lot of different problems.

Also, most consumer locks are trivial to quickly pick (after a few days of practice), so the "picture of your key" vulnerability is the least of your concern if you have reason to suspect someone actively desires to circumvent your locks.

I had a hard time understanding the article. Can someone explain why putting an image of the prison's master key on an inmate pamphlet makes any sense? Someone went through the trouble of putting that exact key on the cover--it wasn't coincidental. Did the designer think it was a way of teasing the inmates with the key to their freedom?

This is a good point. No one seems to be able to answer why that picture was taken and then chosen as the cover of the welcome to prison booklet.

I bet somebody originally wanted an aerial shot of the prison, but someone else wisely objected because that would be bad security move - giving prisoners a map of the area...

At first blush, I think one could easily have the attitude that a picture of a key is no more dangerous than a picture of a gun. The vulnerability is clear but not completely obvious. Especially when prisoners can also see the real keys, as guards no doubt have to use them near prisoners from time to time.

Given the description of the key looking like an E, the picture could have been an image of an ancient old key and the actual key was an ancient old key. Old locks with that E style shape are very easy to open due to being so warn. We used to pick them at school using modified spoons and such like. I'd hope the prison wasn't like this though.

Reminds me of a story about the MTA and their master keys being exposed:


This article made me realize that the whole concept of keys is something that needs to be looked into quite a bit with the rise in 3D printing technology. With an excellent 3D printer, one would hypothetically be able to take a picture of keys and be able to print a copy of them.

Physical locks are not that resistant to attack to start with. A $20 lockpick set in the hands of someone who has put in less than 100 hours of training can open up almost any door or padlock in a matter of seconds.

Have you seen how fast and easy it can be with bumpkeys? It isn't nearly as versatile, but a ring of properly made bumpkeys can open the majority of locks.

Indeed. And for that matter, pick guns. Nobody lives inside a safe, security is mostly a matter of societal convention.

My grandfather told me a lock only keeps an honest man honest.

If someone wants something of yours, the only way to keep it out of their possession is to either bank on their honesty or laziness, or to guard it.

I don't see why this would invalidate the concept of physical keys.

The problem of visual key copying can be easily solved by either making keys in a shape that doesn't allow to see the ridges easily (something like 'E' with middle bar being the actual key) or by making a "dynamic" key that changes shape after you insert it into the lock.

competent attackers have been able to sight-read & reproduce keys for literal millennia. What needs to be evaluated is user behavior regarding keys.

I think you'll have better luck adapting lock technology to user behavior than changing every user's behavior.

Good password selection thinking should be commonsense by now to people who post here, but it seems like there's still a lot of work to be done educating the general (less geeky) public.

> What needs to be evaluated is user behavior regarding keys.

Or just smarter keys like cars have these days (which have pretty much stopped non flat-bed car theft).

I know practically nothing about the smarter keys that cars have these days. Could you please elaborate? I'm intrigued.

I don't have any inside knowledge, but presumably the keys and car exchange messages and do some crypto signing. For example, the car makes up and sends a random string, the key signs it and sends it back.

People whose work depends on keys doesn't know their basics working...

If there was a computer and a password printed on those booklets it would have spurred new silly internet laws.

Here is a typical TDCJ key for reference, These are available on Ebay BTW. http://thumbs3.ebaystatic.com/d/l225/m/mir8l4p7ugK0Tt6QMd5Da...

Reminds me of this...


"someone has made a copy of the key which opens ALL Diebold e-voting machines from a picture on the company's own website"

I remember there was some graduate study done at UCSD where they took a picture of a key from afar, and using a computer, be able to create the exact key that accounted for the angle the picture was shot out. Does anyone remember an article like that?

A few comments up from here: https://news.ycombinator.com/item?id=5613791

People often sell master keys on ebay and other sites and upload photos of the key. http://www.schneier.com/blog/archives/2012/10/master_keys.ht...

Bear in mind: It was over 20 years ago, and they caught him again with 12 days.

So, they essentially handed each inmate a key to their freedom (in the form of the handbook) upon arrival?

Am I the only one who thinks that's somewhat philosophical? :)

So much for the myth of the stupid criminal being kept in jail by smart authorities.

Is this an example that a man can be smart and stupid at the same time? paid a lot of effort to get out for 12 days , then got several more years in jail for that,maybe,wow.

Hm...where have I heard this story before...


Security 101? :)

Looks like one of them is released in 2011!


The couldn't have possibly used someones house keys? lol

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact