My son and I we’re doing some back to school cleaning yesterday. Amongst the unbelievable amount of garbage we found in his school cabinet was his master combination lock. He used it back when going to a school IRL was a thing. I asked him if he remembers the combination to which he nonchalantly says in typical teenager fashion: “I don’t know. 35, 20, 7”. That really gave me a lot of confidence this was going to work. Anyway, after 15 minutes of me harassing him multiple times to remember the correct combination and trying them on the lock we get no joy.

That’s really how this story should have ended. I should have given up on the lock and put it back in the “never to be used again but I can’t put myself to throw away” pile and forget about it. It was a $10 lock for goodness sake. My son did not really need it for anything at this point. I have an entire afternoon to do more productive things with my life. So obviously I decided to figure out how to open it… 🤦‍♂️

You know you’ve fallen into a rabbit hole when your fingers are numb and you’ve spent over six hours fidgeting and fighting with a combination lock. Your very own teenage son is amazed/amused to see you keep at a futile activity you both know is unnecessary. You then look back and try to reassess your life choices to see how you got yourself there 😂.

• 

• 

It all started with a youtube video of someone explaining how to figure out the first and second number by feel. It involved applying a certain amount of force on the shackle while turning the combination. You need to learn how to feel for the resistance on the lock while slowly easing the force you’re applying to the shackle. Once you can only feel the resistance on one spot then you have found your first number. This is probably the only step that I could find that most youtube videos have in common. The rest of the instructions are a mish-mash of fiddling around each section to find an odd one out or trying a bunch of combinations with the first and second number. Long story short, hours into this now growing obsession, I had failed to open the lock.

I abandoned the unreliable youtube tutorials and started just googling articles on how to unlock a master combination lock. I ended up finding this guy: https://samy.pl/. This is the same guy who wrote the infamous myspace worm. The fastest spreading cross-site scripting worm in history. It seems he’s been busy in the last decade or so working on cool projects like the evercookie: https://samy.pl/evercookie/ which is a super cookie. An evil piece of code that will keep a cookie alive on your browser to allow web sites to track you. More recently though he’s worked on less glamorous but not any less awesome projects like this: https://samy.pl/master/master.html.

A master lock combination lock has 64,000 potential combinations. Those unreliable youtube tutorials I spent hours trying to get to work would significantly reduce that to 100 potential combinations. Samy’s ingenious attack is able to solve this problem in less than 8 attempts! I am amazed at how people like Samy (which most people would pejoratively call hackers) solves a problem. They methodically look at the problem and systematically break it down into smaller parts that can be easily understood. I fell down a rabbit hole watching him take apart a master combination lock and talk thru his whole thought process of how he developed this super efficient attack.

And just to make sure it’s geeky enough; at the very end he shows a prototype of an arduino build that brute forces a master combination lock which is pretty cool to see.

Now was all that effort worth it to unlock a $10 master combination lock? The look of amazement (or maybe futile amusement) on my son’s face when I finally opened the lock after hours of wasting time on it sure feels like it 🤣. I’m sure I am setting a great example for him on how to wisely manage his time and the power of perseverance.