Listening for pin drops is a misnomer

When teaching beginners how to pick, I find that quickly they learn that they can hold the lock up to their ear and listen for pins dropping as they release tension on the wrench.  If you have lifted pins up at all, the springs will snap them back into position with a little ‘click’.  If you know how many pins is in the lock (which you should) they you can ‘see how close you were.’

This doesn’t work.

There are two common errors in beginning lockpicking.  The first is too much tension.  This is a problem because if you rotate the cylinder within the lock too much, every pin will feel like it is binding.  You will hold both pins against the shear no matter what, and you’ll get a very bad level of feedback of actually lifting over the shear line.

The second mistake is overlifting.  Few people know how little pressure is required to actually life the key pin, and it is common the just ram the whole pin stack all the way to the roof witho0ut stopping at the shear line – a problem complicated by providing too much tension.

Overlifted Pin

Those two problems combine for a false sense of what is happening inside the lock.  If you lift all of the key pins into the shear line – very easy on cheap locks – and then release tension, you’ll be able to hear all of the pins drop.  This causes the ‘oh, but I had it, ‘cause I could hear them drop’ problem.  The problem is that you didn’t have it, there is nothing wrong with the lock, you just overlifted.  It’s a common problem.

The best thing you can do is not listen at all in my opinion.  It’s like sniffing the cork when tasting wine – it’s not going to tell you anything.  The sommelier offers you the cork to you can make sure it isn’t dry or crumbling – NOW so you can sniff it.  Experienced pickers listen at a lock to see if they have something in particular, not just to see if they have any pins lifted.  I sometimes listen early on, to see if my feedback is lying to me.  I try and set one pin, and then see if it snaps back.  I don’t know if it is overlifted, or just jammed into position with too much tension.  But I do know if I made one pin stick.

So, don’t listen at the lock, at least when starting out.  Trust your fingers, and start with easy locks.

C# 4.0 at CONDG

I was very pleased to be able to give my C# 4.0 talk at the Central Ohio .NET Developers Group last month.  Carey Payette accepted my offer to give the talk – based on the last section of my upcoming C# All In One book from Wiley – and I did my best to polish the talk to get it to the level expected by the fine people of CONDG.  Hope I met everyone’s expectations!  The reviews were very nice.

I utterly failed to get any pictures, although @leshka posted this one to TwitPic.  I did get some video, which I’ll put on my SpeakerSite after I get it rendered

+1 Retweet @pmontgomery at #condg to hear @sempf  talk about ... on Twitpic

It was a great turnout – 103 people I think.  Wonderful questions too, and some great feedback from many attendees.  Bill Melvin posted a review on his blog, which I appreciate.  Twitter was rockin with comments from attendees, too.  I agree – the fact that the wholesale changes to the language are more or less just for COM compatibility is somewhat disappointing, but the dynamic language features still excite me.  Also, Tim, I agree that just because the dynamic keyword exists means we should use it.

I ran without slides, but I did use a big Visual Studio solution.  That compressed folder of samples is here, warts and all.  Feel free to dig in and see what a warped brain is really like.  The snippets don’t travel well, but the sample code is all in the Examples file.

Anyway, great time, everyone, hope to do it again after I finish the research for the Oslo book.

Blogging Devlink

I was pleased to be introduced to DevLink by Brian Prince this year.  It is a great conference, catering to the more southern members of the Midwest development development family, similar in structure and content to CodeMash in January.  Held at a college campus, it has a loose, collegial feel (unsurprisingly) and has some great content.  The proof is in the pudding – a lot of people made the trek from Ohio and Indiana to Nashville for the three day con.

I went a day early to take part in a community leadership mini-con that the Midwest evangelism group for Microsoft put on.  Thrown in a unconference format, this was a gathering of sixty or so movers and shakers in the Microsoft developer’s community, along with a few of us hangers-on.  Steve Webb and I went to try and soak up as much of the community goodness as possible, and some great southern barbeque as well.  We got what we were looking for.

Open Source Community

Due in part to the MVC4WPF project, I have a recent interest in the community surrounding open-source.  I held a session on the Open Source Community and had a great discussion with a few experienced souls.  We determined that in order to have a successful open source project and surrounding community, you need four things:

  • A strong leader, who can focus the energy of the group, and set direction.  Scattered development makes everyone feel bad about the project, and the only reason people participate at all is to feel good.
  • An easy patching process.  If people don’t feel like they can participate, they won’t participate.
  • An existing user base of sorts.  If there is already a group of people working on the project, they produce the core of the open source community.
  • Tool Availability.  If you need VSTS 2008 to do the work, then fewer people will be interested.  You need to be able to do work on the product on your home machine.


The biggest key to growing a community is popularity.  Popular projects – at least in the Microsoft world – have four common characteristics:

  • Need.  There has to be a need for the end result of the project.
  • Caretaking.  Long after the shiny newness of the project has worn off, someone has to care for it.
  • Ease.  Use, development, documentation, everything. 
  • The source should be included in the product install.


Sponsorship ROI

Another cool discussion was on the topic of sponsorship.  As one would expect, it is harder and harder to get companied to pay for the trip to a conference – even an inexpensive one like DevLink – along with the time off, the travel, et cetera.  The group came up with seven ways to sell your company on the idea that going to a con was a good idea.

  • You will be cool by association.  Especially if you are giving a talk, you get to say “Hey this consultant of ours went and presented a paper along with the Famous Tim Wingfield!” or whomever.
  • Being elite is more marketable.  Following along with the last tip,. it is true that elite-ness is quite marketable.
  • Providing training / brain dump.  When you get back from a con, offer to run a session or do a screen cast to train others.
  • Put some skin in the game by offering to pay for part or take vacation time.
  • It is true that events build experience, and experience improves marketability.  IF you go and get exposed to Azure, you can look a client in the eye and say “I have some experience with Azure.  What do you want to know?”
  • Networking!  Local people travel.  You can sell and recruit.
  • Point out that the sponsoring company will get to retain top talent.  People stay where they feel they are valued, and a cheap way to show value is sending people to events.


On the issue of companies paying the small sponsorship fee to become an actual sponsor of the event (apart from sending people) we discussed the idea of selling access to an opt-in email list.  This could be for sales purposes if you are a tool vendor, or recruiting if you are a consulting company.

At the con

Hey, wait, there was a con too!  After all of that that brain pumping at the community summit, I got to go hear the hippest cats in the Midwest talk about some cool technology.  Learned a lot, too.

Thursday was set up as two half-day sessions, which I was only sort-of impressed with.  Don’t get me wrong the content I attended was really very good, but three hour sessions are really very hard to do.  I’m not sure I would recommend it to the organizers for next year.

I started my day listening to Jim Wooley (aka @linqkinq) chat about database driven web.  He had a good strong overview of the various new ways to quickly set up ASP.NET data access, along with experienced view into the enterprise ready techniques.  We got a first look at RIA Services, along with the tasty morsels of LINQ and Entity Frameworks in action. 

The afternoon session was on cloud deployment, from the very experienced Ben Henderson.  We did a few end to end deployments of cloud applications on both Azure and S3, and I learned about the S3 Organizer for Firefox, which I recommend to anyone working in the cloud space.

The next two days of the con were the usual hour-long segments of technological goodness.  There were regularly seven tracks going on so no one had a problem finding something that they were interested in.  Additionally, there were the open spaces, which follows a free-flowing hippyism format with an open grid and user generated content.  I ran a session on the Managed Code Rootkits that I learned about at Defcon, and had a great conversation with Steve Wallace and others.  (We decided that more research was necessary as to the risk, because if you have admin access, there are worse things you can do than munge up the .NET Framework.)


On top of it all, I had a great time in Nashville, without really ‘doing’ the city at all.  I didn’t go to a ball game, I didn’t hear any big name acts, I didn’t see any celebrities, but I had a great time.  The community summit was at Jack’s Bar-B-Que, which is a Nashville standout.  The hotel was two blocks from Broadway, where all of the fun is.  There was lots of good music to be had on every street corner – who needs to go to a show?  The restaurants that we visited had no fewer than fifty beers on tap each, so how can you you argue with that, I ask.  All in all a good time.

So thanks to Brian for inviting me, Steve for putting up with me, the organizers for bring good at what they do, and the presenters, attendees and volunteers for making DevLink an all around great con.  Can’t wait for next year.

Elegance is about doing it the simplest way

I am sitting in as team lead for a large project at ICC.  This is a multimillion dollar effort with over 100,000 installed user base.  We are using WPF and WCF and all of the latest TLAs.  In short, it is a big deal.

We are using Scrum Alliance’s TFS template to manage the development effort.  This is new to me – I am usually a functional independent, and not constrained by sprints and scrums and whatnot.  I am used to just getting the job done and that’s that.  when you have forty people on a project, however, you need to have some system.  This one is as good as any, I suppose.

Anyway, we did estimation for our first sprint last week, and I was here with a few other people entering the estimates into TFS Friday afternoon.  because TFS and Excel work well together, I chose to have the team enter the estimates into Excel, so that I could munge the CSV file with a script, and then import directly into TFS using the Excel integration.  Pretty slick, I thought.

The task names needed to be <document>.<entity>.<tasktype>.<taskname>, and I had those in a hierarchy format, like a legal format outline.  I write a little console application in C# to take the CSV file and figure out what all of the values were to create the task format.

static void Main(string[] args)
    StreamWriter streamWriter = new StreamWriter(@"C:\Users\wsempf\Desktop\R1S1 Backlog  Estimates Import.csv");
    using (TextReader testReader = File.OpenText(@"C:\Users\wsempf\Desktop\R1S1 Backlog  Estimates For conversion.csv"))
        string line;
        string tasktype = string.Empty;
        while ((line = testReader.ReadLine()) != null)
            string[] fields = line.Split(',');
            if (fields[2].Length==0 && fields[3].Length==0)
                //do nothing
            else if (fields[2].Length > 0)
                //This is a type header
                tasktype = fields[2].ToString();
            else if (fields[2].Length==0 && fields[3].Length>0)
                //This is the data, write the line
                //whoops, do nothing

It worked good – just a quick, one off script.  took me about 5 minutes to write.  I even had to refactor once when the task name format changed.  Anyway, I was pretty proud of myself when Larry Beall, the other dev working on the project, says “Done!”  I thought ‘Hey wait!  I have a cool script!’  but you see, Larry had done the same thing, but he had actually used Excel to do the work.

="Air Tariff." & A371 &"." & B371 & "." & C371

He went through and manually filled down the columns, but other than that … pretty simple solution.  The moral of the story – not everything is a nail so don’t always get out the hammer.  Sometimes the simple solution is the best.

Defcon Recap

Defcon 17 is in the books, and Gabrielle and I had another fantastic time.  Props go out to all of the Defcon staff.  The Locksport International team and TOOOL put another fantastic lockpicking village together.  Coffee Wars pulled a record turnout of thirty-six brews, and we met some great people there.  (We lost badly.) And thanks to the hard working goons we met.

We arrived on Thursday, but with the new Defcon 101 tracks, we were practically late.  The lines weren’t much worse than usual but there was a badge shortage right away thanks to the fine people at Chinese Customs.  Gabrielle and I ended up with paper badges at first, but Gabrielle social engineered us into two actual badges soon thereafter.

The badge, as usual, is fantastic.  Kingpin did an over-the-top job of building a sleek, simple badge that still has lots of hacking potential and out-of-the-box functionality.  It uses the 32 pin MC56F8002 processor, with a microphone and an RGB LED to produce visual effects from aural input.  Wired Magazine actually published the open source firmware.  I am not a hardware hacker, but I have been working on getting it to produce different visual output based on pitch rather than volume.

I didn’t get his name, but one of the engineering team from Freescale (the company that made the microprocessor on the badge) came to the con.  He just set up shop in the Hardware Hacking Village and helped people program the board.  It was one of the coolest things I have seen at any con.  As some of you probably know, my hardware experience is circa 1979.  He effortlessly moved between helping me with the most basic soldering questions to the most advanced programming questions.  I was blown.  Get me his address, someone.  I want to send him a bottle of Scotch.

It seemed like the traffic flow was worse at first compared to Defcon 15, but it soon leveled out.  Part of the problem was the need to clean out the rooms fully and then count them coming back in due to the fire code.  The marshals were around, and very visible, throughout the con.

There is a lot of talk about the Riv being too small.  I happen to disagree – I think that DT just needs to find a logistics volunteer that will orchestrate the talks in such a way to control the crowds.  I have seen Gabrielle do it.  It is possible.  (You hear that Jeff?  She will work for Absolut.)  The people at the Riv work their collective asses off to make it a good con and you just can’t replace that.  Let’s change the logistics instead.

Oh wait, there was technical content too!  Who knew?

The most significant thing I learned is that for all of the protections for CAS in the .NET Framework, there is a mind blowing flaw.  The framework assemblies are just called by name.  If you replace an assembly, EVERY .NET program on that machine will use the altered DLL to run the program.  Does that mean if you replace the encryption protocol to email the keys to China, that all programs will send that key to China?



Props to Erez Metula.

There was a great talk on using iMacro to do screen scraping for AJAX sites, and I plan on getting some new PoCs for that up in the future.  It wasn’t rocket science, but it was a really good implementation of a simple idea that I sure as hell didn’t come with.  I mean, if it was easy, everyone would be doing it, right?  Screen scraping is a massively underused art.  There is a LOT of information out there and the web browser just sucks for really making use of it.

So much net development was done on Metasploit in the last 12 months that they got an entire track dedicated to it.  The biggest piece is undoubtedly the Oracle module, which really puts all of the disparate Oracle attacks into one place for ease in testing.  I can’t recommend its use enough if you are a pen tester or in charge of db security

The civil liberties content was significant compared to 15.  Nearly one whole track for three days was filled with lawyers telling us how not to go to jail when we fly to Italy on vacation with some music of questionable origin on our laptop.  I just popped in and out of these, but every time I did I learned something.

 Did you know that if you are asked to give up your password in the states you can say “come back with a warrant” but if you are flying overseas, they can just take the machine without your permission, copy the whole hard drive, and say “Thanks for the warez, d00d.”  Lesson learned?  Carry an empty laptop overseas and download your data set from a secure channel once you get there.   When done, upload results and clear the machine again.  Microsoft doesn’t even LET you carry a machine overseas.

Speaking of privacy (weren’t we, really?) social networking was a huge topic this year.  Tom Eston and Kevin Johnson gave a great talk on some proof of concept work they did on social networks and trust.  For instance, set up a parody account of a ‘B’ celebrity, and gain trust of followers.  Then send out a link for a fun quiz with an XSS attack.  Gain twitter cookie, get password, rinse and repeat.  Social Butterfly is another of their tools, which manages the creation of apps in social networking sites like Facebook.  It collects user accounts to be used for research purposes.  Check it out.  It’s not just that picture of the Christmas party last year that will get you in trouble on Facebook.

Locksport village was very informative, very well attended, and very well stocked.  I picked up some new equipment and finally met both Schuler Towne and Doug Farre in the flesh.  Doug and I are going to make some moves toward getting the Locksport International organization a little more, well, organized, and get things up and running there. 

Gringo Warrior was a hoot.  I supplied the live guard with a cigar (which he really needed!) and watched.  Deviant had a whole boatload full of people, and I hadn’t practiced enough, so I didn’t do it this year.  Maybe next year.  The ah-ha moment for that was watching a very accomplished picker run the whole gamut in three minutes, and then spend ANOTHER three minutes trying to open the car door.  After that, Deviant stood by the auto locks and yelled “Everyone look!!”  Took out his auto jigglers.  “Easy lock,” pop.  “Medium lock’” pop.  “Hard lock,” pop.  “GET some jigglers people!  They aren’t that expensive!”  I got some jigglers.

My Defcon moment had to be standing in the elevator lobby waiting for a ride down from my floor, when thmping bass – LOUD thumping bass – became clearly audible.  I thought “that’s one hell of a boom box.”  Wait.  Aren’t those lights?

The door opens, and there is a full mobile DJ station in the elevator.  I kid you not.  There was a mini-rave going on right there in the elevator with a DJ and dancing babes and the obligatory big white guy who can’t dance just bobbing his head and looking cool.  It had to have been the coolest thing I have ever seen in an elevator, bar none.

Can’t wait for next year, folks.  This one was fantastic.  Till then, see you at PhreakNIC!

Breaking news: "Internet Lawyer" clueless

I have started and deleted this post three times because I am so fired up.  I ended up just making a comment on this guys blog, but I thought I would post it here since there is exactly 0% chance he will approve it.  The post is by an internet lawyer and points out how 'nasty' Defcon is and that it should be 'shut down' if it doesn't 'clean up it's act'.  I am tense.  Very, VERY tense.

OK, here is my comment:

Imagine you are in charge of infosec for a large bank, running Oracle. There are 3,000 developers - most of them contractors - working with various databases inside your firewall. It's you, with nothing, versus 3,000 people you don't know backed potentially by 22,000 Russian and Chinese criminals with the latest 0day exploits. What are you going to do?

Well, first, you are going to go to Defcon, where without telling them which bank you work for you will learn the latest on these exploits from hackers who would be glad to give the information away nearly for free (since Oracle rarely does anything about them). This way, you know what you are faced with from the people who aren't so open. We usually call those people the criminals. I am sure you have heard the term.

Second, you are going to use Metasploit to test said database. Why? Because it is a framework for penetration testing with all of those exploits already in place. You can make sure that your database can't be compromised by those nameless criminals (there's that word again), all due to the VERY hard work of just a few extremely smart ... wait for it ... hackers.

You, my "internet lawyer" friend, have completely failed to get the point. You mention "finding an alternative approach for sharing knowledge and information away from the public eye." All of this information is already out there for those who care to find it. Defcon makes it available to the overwhelmed many who are tasked with protecting what we have. And that's a bad thing exactly how?

Thoughts are welcome from the peanut gallery.  Remember to read his post first, and the comments.  I do give him credit for allowing a few comments through.  Gah, sorry, I am just astounded that there are people still like this in the industry.

EDIT:  Ok, I was wrong.  He actually did publish my comment and published his own rebuttal, and my respect for him increased somewhat.  Nonetheless, it's that old argument: if you make owning a gun criminal, only the criminals will own the guns.

MVC3WPF Launch on Thursday - use the MVC pattern with WPF successfully!

As posted earlier by Brian Prince and Stephen Giffin, the MVC4WPF project will be launched to CodePlex on Thursday.  We will be having a spash at the Columbus Microsoft office in the morning - if you would like to attend, please RSVP here.  I'm actually quite proud to be involved in this effort,, even if jsut as a tester and tech writer.  The thought that went into this product is very impressive.  If you are doing large WPF projects you certainly owe it to yourself to check it out.

A little about MVC (from the Developer Guide): Model-View-Controller is a pattern for software development.  It doesn't provide development tools of its own, but is rather an agreed-upon way to go about developing software.  It builds upon the concept that divides the basic functions of a contemporary application into component parts:

  • The model, which represents the underlying data;
  • the view, which represents what the user sees; and,
  • the controller, which manages the business logic and communication between the view and the model.

The three parts of the software communicate with the use of agreed upon contracts that define communication between the parts, and property bags that hold configuration values and data objects. 

MVC works well with WPF because Microsoft has done some of the heavy listing for us in the division-of-duties arena.  Like ASP.NET, the View code is physically segregated into a code file all its own with hte XAML file (ASP.NET of course uses the ASPX file).  This basic architectural decision makes things appropriate for MVC.

MVC4WPF has a ton of automation to make development much simpler than many other MVC environments.  It is appropriate for junior developers, and is very forgiving to work with.  It is rather open ended, and will cut you if you don't read the recommended usage.  The project will come with a boatload of documentation (some of which I wrote) that will help a lot.

Keep an eye on the codeplex site, and come on up Thursday if you get the chance to see what I am talking about.  Should be a good time.

Bing is filtering searches they suspect of being for crackers

So I posted a search on Bing today, so check some statistics , like I would with Google.  You know, you search for a unique term, and then search for it in conjunction with another unique term, and you look at the denla, and you learn something.

Well I learned something alright.  Lo and behold, Bing didn't like my search.  Instead of results I got a plain white page that said:

We are seeing an increased volume of traffic by some malware software. In order to protect our customers from damage from that malware, we are blocking your query. A few legitimate queries may get flagged, and for that we apologize. Please be assured that we are hard at work on this problem and hope to get it resolved even better as soon as possible.

Imagine my suprise.  I wonder if there will be a large collection of blue towncars and Bill Gates dressed like Wolverine in my driveway in the next ten minutes.  Seriously, if I vanish, check for pieces of my DNA in Steve Ballmer's bathroom.

This is a lesson to those of use looking to the Internet to be the be-all and end-all of storage devices.  Remember, you don't OWN crap.  Jason Scott said it best in his blog post Fuck The Cloud, so I won't repeat it here.  Be warned that if you post something that someone doesn't like, and they own the box, no law on earth is going to keep them from doing damn well what they want with it.

For now, my default search engine is Google, and I publish my information to servers I can touch.

Cloudcamp Columbus

So I am sitting here at TechColumbus watching the Unpanel at CloudCampColumbus.  Everyone here has a very good perspective on cloud and the problems and benefits.  The list of unpanel topics reads like a collection of general questions about cloud.

  • Auto scaling
  • Server huggers
  • Hybrid Clouds
  • Encryption
  • Security
  • Compliance
  • The business case
  • Disaster recovery
  •  Scalability Planning

 I think we just about covered it.   We are picking sessions now.

  • Intro to cloud
  • Architecture for the cloud
  • What and When to move to the Cloud
  • Examples of cloud apps
  • Enterprise Utilities
  • Clous OS Security
  • Cloud Storage
  • App and Data Cloud Concerns

Proof that the unconference idea works?  Who knows.  Decided on the Architecture group, and now am sitting with a bunch of people smarting than me.  Bummer.

So anyway, there is some meta comversation revolving around cloud computing that I have yet to completely master, but I think I am getting the idea.  People are wrapping th ebig providers around themselves.  For instance, ShareThis, who is talking right now, is an EC2 partner, and they just resell the service.  They don't really make or provide anything at all.  It is an ISP reseller.

This begs the question - is this just hosting.  That's all it is.  Noone is really using this for anything significant yet, at least not at this level.  Right now, they are just providing site hosting for applications that go viral.

So what is the highest level of cloud?  What can be done with this other than scalability?  Funny, they are talking about the same scaling problems that everyone has now - caching, bad code, weak queries.  Cloud won't help there!  What is it REALLY for?

That meta question brought a lot of interesting answers.  Brian Prince brought up the reality of disposable computing.  I thought that was a good point - you can treat the computing resoruces as temporary assets.  Where does that lead us?  No answer yet.

Microsoft Windows 2008 Server Licensing For Dummies

I was honored to be asked late last year to write Windows Server Licensing 2008 for DummiesWin2k8LicensingFDSmall as a joint project with Wiley and Microsoft.  This is a custom book – an eighty-six page minibook specifically for Microsoft to give to customers working on licensing Windows Server 2008.  I finished it in March, and finally got a few copies.  If you want a copy, you have to ask you local Microsoftie!

Anyway. the book came out very well.  The people in the licensing office are so very knowledgeable and easy to work with; the project was a complete joy for me.  What’s more, I think it really is a win for the average IT manager – the book is readable, easy to understand and accurate.  Licensing is foreign to many people, but with a few basic points in mind, you really can keep legal and save yourself some money!

I think the custom book concept is a real win for Microsoft too – they get a great, well known format for not much more cost than it takes to develop and print all of those whitepapers that no one ever reads.  People actually real dummies books, you know what I mean? 

Anyway, they gave them out at TechEd, and I think there will be more at PDC when the time comes.  Drop by the Windows Server book and snag a copy in November.

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.



profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites