Skip navigation

On twitter recently, a conversation arose between myself and some other lockpickers and locksmiths regarding everyone’s favorite pick tools for everyday carry, typical entry, etc.  I promised folk that I would document my personal gear, and no disrespect to Team #RockAdvocacy, the following are the lock tools that tend to be on or near my person all of the time…


My Main Pick Kit

This is what most folk would expect me to show if I were asked to take out my “pick kit”… it is a case made in the style of the HPC “Superior” kit, but the leather is far softer and I like that the inside is left as a natural suede.  It was obtained from my friend Ed, a locksmith in New Jersey… and hand crafted by a friend of his.  It’s been with me many years.


Unzipping it and looking inside, we find…



… an assortment of various things, certainly not all of which are picks and turning tools.  But every last item in this case has been useful enough to me (more or less) over the years that I keep it in this form pretty much all of the time now.  Let’s take a closer look and I’ll list what’s in there…


… going more or less in rows from the upper-left on down, my zippered leather case contains:

  • a Mini-Jim is at the top left, because why pick a lock if you can bypass a latch?
  • laying on the open case is a key decoder card, similar to these from Pro-Lok. useful while impressioning or just when you want to re-pin a lock or quickly learn key bittings
  • the red-tipped item is a chopped-down Grobet Swiss #2 file half round, for impressioning and other small work (like making a bump key or adjusting small parts or bitting cuts. I use it a lot actually)
  • LAB brand small-size pinning tweezers.  These were a gift from Clay, the owner of Lockmasters and S&G, when he couldn’t bear to keep watching me re-pin locks by hand with nothing but a half-diamond and my slotted wooden dowel follower.  I insist that I was doing just fine that way.  😉
  • a Peterson American Lock bypass driver is seen, with blue tape covering the spot where the plastic dipped handle has chipped away over the years.
  • the next row begins with a two-pronged Wishbone style turning tool.  Lots of folk don’t like them, and I seldom need it, but I like having it.  It doesn’t fit well next to the other turning tools, so off on the left wing it lives, next to…
  • my keyring full of wafer jigglers, warded lock tools, and the decoder for my convertible 7-pin/8-pin tubular pick (kept in my other kit, below)
  • a Traveler Hook (a.k.a. Shrum/Loiding tool) is seen with a green finish.  you won’t see that in anyone else’s kit because there are no others exactly like it (in green) but similar ones are available online.
  • starting the next row is a small wooden dowel that I use as a plug follower when servicing locks in a non-serious way.  solid core and no lip on either end, that makes it perfect for me.  i’ve carved a small notch slot in the wood (with the Grobet file) and that’s all i need most of the time.  One layer of blue painter’s tape made the surface smoother and fits it nice and snug into almost all typical plug housings
  • Bobby pins with the little balls cracked off of their tips are great for demos of improvised handcuff tools (or when you need to un-set a double lock on a handcuff)
  • Most of the time, the handcuff shims right next to those pins are all I need, however.
  • I also keep one of the tools that some outfits call an “EZ Decoder” but I simply refer to as the “Master 175 bypass blade”
  • A thin sliver of metal can be used to rear-shim a lock during disassembly, and next to that is a tiny S&G safe dial spline key… good to have when you really need one!
  • What remains in the kit photo, therefore, are my pick tools… and there aren’t a lot.  One medium-sized hook, a half-diamond, and three rakes (one classic Bogota and two long-handled faux-gota picks) are kept in there along with over a dozen turning tools… and each one is slightly different than all the others.  I find the best fitting turning tool possible in whatever scenario I’m facing and go from there.

Now, there are some times when it’s really useful to have a larger item that can’t fit in this case.  Hence, in my backpack (where this above-kit lives) I also have this auxiliary pouch…


Auxiilary Tool Pouch

This leather-ish velcro-flap case was probably originally for sunglasses or something like that…


… now it contains…05-aux_dumped

… so that is an assortment of items that are sometimes useful (both for entry work as well as field-servicing tasks) but I can’t fit them (or choose not to attempt to stuff them) into my “main” pick case.  In any event, the above items (both the main pick kit and the auxiliary tools kit) live in my backpack most of the time, and aren’t typically in my coat or in my pants pockets.  However, I will in all but the most RARE circumstances, always have picks on me.  Let’s move on to…


Pocket Carry Kit

The following item is almost always present in the hip pocket of any pants I’m wearing…


… fashioned from an old leather cigar case, I use this mostly to prevent my everyday-carry flashlight (a Klarus XT2C) from flipping sideways in my pocket and being uncomfortable.  This little leather case allows me to easily manage the flashlight, a small lip balm, and also what we’ve come to call my “golf bag” pick set…


… so-named because of how the beige tube (fashioned simply from gaffer’s tape with a tiny rare earth magnet in the bottom) looks with all the picks and turners sticking out the end.



… honestly, the “golf bag” pocket kit gets far more use from me than my “main” pick kit does.  Why reach into my backpack in order to open a lock when chances are I have all I need in my pocket?  This little kit contains…

  • one faux-gota pick (the only full-size pick in this little case)
  • a double-ended medium hook and snake rake (rarely used)
  • a chopped-down HPC half-diamond
  • a chopped-down thin stainless steel half-diamond
  • a chopped-down HPC medium rake
  • over a dozen turning tools in a wide range of thicknesses and styles (some unbent)

… yeah, 9 times out of 10, when I want to get something open, that little pocket kit is enough for me to do it.  I can always turn to the leather zippered case since my backpack is often around (especially at cons or on jobs) but I usually don’t need that.

On the off chance that I don’t have my “pocket holster” as the above-seen brown leather item is sometimes lovingly called (maybe I’m in a suit at a formal affair, let’s say) I will always have my wallet on me…


Wallet Carry

Underneath my licenses and credit cards and other blah blah in my wallet, there are some other tools that I always keep beneath me when I’m seated.  😉  They tuck in small extra pockets, some of which I’ve stitched into the lining, etc…


… these last-ditch “wallet carried” tools include a TOOOL Emergency Pick card behind my credit cards and the following items slipped below my license…


  • A “Husky Head” tool – once available in the 70’s and 80’s, this awesome little item is sadly discontinued now.  Check eBay or vintage sites for them.  It was a keychain that would work well with large or small screws, both phillips and flat-head.  Is it as perfect as a proper screwdriver?  Of course not.  But it’s flat as flat gets.  And that’s enough to make it worthwhile.
  • A diamond wire blade – never needed to use it, but SERE pick sells a LOT of them for a good reason!
  • titanium Bogota pick (triple hump only)
  • titanium flat metal stock converted to a simple turning tool
  • titanium cuff shim (split pawl style)
  • S&G new style cuff key (which I should really get around to converting to a TOOOL universal key)


… so, there you are!  Those are my various “everyday carry” lock tools.  It’s more than most folk might tote around, but less than you see in a lot of “ultimate” kits that contain way too many items, in my view.

These items, carried in the way I have described, have pretty much always guaranteed that I never complain about wishing I had something but not finding it on me.  Well… every so often, I wish I had a plug spinner.  😉




While having a discussion with a close friend recently, the topic of bug bounties came up.  She asked me what I thought was a reasonable price range.  I learned from discussion with her as well as discussion with others that the physical security world is massively different from the IT world in this sense.

Often in our lectures and trainings, we draw a parallel between the physical and digital realms.  The same principles apply, the same kinds of errors lead to the same risks and the same lessons learned.  However — and there’s really no getting around this — the cost to repair/upgrade/patch physical systems tends to be much, much higher.

For this reason, manufacturers of locks, access controls, and other physical security technologies are much more loathe to even discuss (let alone disclose) vulnerabilities with the public.  Likewise, because of the very long persistence that physical bugs tend to have (even when they do become public), this sort of attack vector can be weaponized to much greater effect.

While bug bounties in the software world tend to float around the low four-figures (although occasional high-four-figures and five-figures do happen, and sometimes garner a bit of attention when they do… and six-figure bug bounties have existed very, very rarely) I took the position that just about anyone whom I know in the physical security world would scoff at numbers in the $1,000 to $5,000 range.  Well, perhaps not scoff, but most assuredly we would consider them almost comically low.

In the realm of physical security exploits and the development of tools that leverage such vulns (a development process that often entails far more cost and time than the writing of proof-of-concept code for software bugs) this kind of research often commands five-figures at a minimum.  Such deals also almost always entail NDAs and other very strongly-worded agreements to effectively never publicize said research.  Put plainly, if a physical security researcher finds a flaw in a high security lock, the market for that work tends to be either governments or private firms with deep and often shadowy connection to government operators.  A working tool that can be used to attack a physical security system often commands far more in the private realm than a designer would ever hope to recoup by bringing it to market publicly through retail channels.  Add that to the fact that most designers and vendors in the hardware and physical security space aren’t courting researchers with fiscal rewards, and this leads to a LOT of hardware bugs (lock flaws, access control system hacks, safe manipulation tools, etc) never being revealed to the public at large.

Let us make no mistake, the government and the law enforcement are interested in your data, too.  Their eyebrows perk up at the notion of software flaws and privilege escalation within networks or computers… but what really gets a lot of spooks and police salivating is the chance to surreptitiously enter physical relams.  Intelligence gathering, eavesdropping, sneak and peek work, etc… all of this is based greatly around physical access, and that means possessing attack vectors against supposedly high-security lock systems which the public believes to be immune from vulnerabilities.

Unless physical security vendors consider offering genuine bug bounties (something that is far from likely if they aren’t yet even interested in public disclosure of discovered flaws) the only avenues for researchers are going to be:

1. public disclosure simply for the sake of the community and for the fun of speaking at hacking and security conferences

2. private sale to governments who will undoubtedly use this knowledge for purposes of surveillance and covert entry

So, give a cheer for every hacker con which accepts a talk with a physical security angle.  The speaker may have turned down considerable funds in exchange for being able to present to you.  And the topic areas, while sometimes not-the-norm, are far better aired publicly than kept quiet.

NOTE – This post was not supposed to turn into a “let’s pat ourselves on the back here in the phys sec world” diatribe, so forgive me for that.  Still, I’m pleased to be able to report that — as of the time of this writing — The CORE Group has never accepted any offer of keeping research private in exchange for money, access, or favors.  Our works are always either portrayed publicly and/or disclosed to the original vendor so they may endeavor to correct said problems.

While road-tripping down to CarolinaCon, a few of us in the car were seeing the “hugs at hackercons” thread on Twitter.  It generated a bit of good discussion among us, but for the most part we were focused on getting to Raleigh and presenting and socializing and generally having a good time.  Of course, the hacker community’s drama-engine is fast-moving and mere days later, we seem to have moved on to RSA dress codes and the awful antics of BlueCoat.  So, while this blog post is hopelessly outdated now, I’m still offering my thoughts.  😉

Much of the HugGate drama on Twitter seemed to come down to the following arguments (often badly-expressed and hopelessly truncated by Twitter’s 140-character limit)…

“I don’t want to be hugged at conferences”
“So then tell people to not hug you”
“I shouldn’t have to tell others, they should just not hug people”
“Hugs are awesome, you’re just silly if you don’t like them”
“Hugs vs Handshakes is a clear-cut case in most of the world (link to this article)”
“The hacker world isn’t the business world, we’re a family”
“But some people are aspy and don’t like to be touched”
“No one should ever be touched if they don’t want it”
“So no one should hug anyone?”
“That’s not what I said!”
“I’m going to hug you!!”
“I like hugs, that’s fine!”
“So, are we still arguing?”

… and so on and so on.  The crux of these issues was distilled down by many into to two camps — pro-hug and anti-hug — but that’s an over-simplification.  A fairer pair of titles would be pro-hug-environment and anti-unwanted-contact and their positions could possibly be summarized thusly…

Pro-Hug-Environment: “We like to surround ourselves with friends and family in the hacker world and we value situations when the context allows for many hugs and close contact.  With much time spent in the cold and impersonal business world, it’s nice for us to create a space where people are much closer.”

Anti-Unwanted-Contact: “That’s great that you love being all friendly, but some folk take it too far… and when I’m at hacker events, I have to fend off unwanted hugs or other contact because of the environment that’s been cultivated.  The onus shouldn’t be on me to prevent what I see as harassment.”


Here’s the thing… both of those camps have elements to their arguments that are quite valid.  No one should ever be subject to touching or direct contact that they find unwelcome.  (Unlike speech, which I feel anyone should be able to express at just about any time, actions — such as direct contact — should never be forced on to another party.)  Alternately, if a group of people seeks to create an environment where they feel more at liberty to bond and be more casually intimate with liberal hugs, etc… that’s their right, too.  Let’s not forget that hacker cons are, by and large, private events and it’s fine for them to reflect the views and values of their creators and participants.

Sometimes, we forget that all situations are different and every “event” or “gathering” or “space” has its own unique values and atmosphere.  Trying to map the values and behaviors associated with a workplace on to a hacker con or those of a music festival on to a public park is about as logical as trying to map the norms of one country’s citizenry on to those in a foreign land.

It’s important to consider the base-rate of behavior and the commonly-accepted norms in any circumstance and allow that to dictate our mores, norms, and rules of proper conduct.


I propose the following when it comes to hugs… think about the situations around you on a hug spectrum …

hug spectrum - 00 - scale

… for those who can’t read this easily (you can click any of these images for larger versions) it’s essentially a scale of how intimate the greetings tend to be between both (a) people known to one another and (b) people meeting when the don’t know each other very well.  Here’s a written breakdown of the various points on the axis…

+4 Big kisses for basically anyone who comes along

+3 Hugs liberally shared all the time. Small kisses common, too, even upon introduction

+2 Hugs typical as an introduction, little reservation shown among known folk

+1 Hugs common between all friends and acquaintances, sometimes hugs even during an introduction

+0 Hugs for family and very close friends only, handshakes upon introduction to new people

-1 Folk pretty reserved, usually shake hands even if known already. Handshake almost always as introduction to new folk

-2 Hugs are outright considered odd in public, even if known. During introduction, only handshakes are used

-3 People prefer to not have any  physical contact with unknown folk

-4 No acknowledgment of strangers out in public

… so, I’ve made this pretty wide-ranging.  I think that we can safely dismiss or at least not give much consideration to the environments at the +4 and -4 ends of the specturm.  You’re unlikely to see the +4 “Kiss basically anyone who comes along” as the norm outside of hippie gatherings, raves, or the declared end of a world war.  Likewise, the -4 “No acknowledgement of strangers out in public” standard doesn’t really apply anywhere outside of the most repressed dictatorial or religiously-fundamentalist regimes.


But almost all of the other points on this spectrum are fair game in some situations.  I think that the zero mark in the middle of the axis could be called “the United States societal standard.” We are a people who hug, but your typical American doesn’t go around embracing just anyone.  Our society’s normal method of introduction is the handshake.

hug spectrum - 01 - US society


On the hug spectrum, however, it’s important to consider both the base-rate for a given situation as well as the margins directly on either side of that mark.  A society or group can be thought of as supportive and inclusive if they are aware of others whose preferences and standards lay a little bit outside of the mean.  See here…

hug spectrum - 02 - US society margins

In the USA, it’s not uncommon to encounter +1 people who offer hugs as a form of introduction.  Alternately, there are plenty of  -1 people here who are reserved and don’t offer hugs often at all, even to people whom they know.  Being an accepting person means expecting to meet people like that with some regularity.  The red arrow folk should keep themselves open to social cues and indicators so that the yellow arrow folk do not have to offer a lengthy explanation of their slightly different position.  This is the kind of environment that we should aspire to have.  People on the margins should feel accepted and not like they are troubling others or in need of constantly explaining themselves to others.


Let’s apply this hug scale to the business world…

hug spectrum - 03 - business world

… where the norm is handshakes.  Handshakes are always the default when meeting new people, and for the most part they’re what’s shared even between people who know each other.  Of course, the rule of the margins applies…

hug spectrum - 04 - business world margins

… some people in the business world are comfortable hugging friends, even at the office.  Others in the business world consider any kinds of hugging in the office — even if family visits — to be unwarranted.  Again, these yellow arrow folk should not have to explain their position explicitly every time when meeting new people.  Most folk should just pick up on social cues and be able to tell whether someone’s preferences are slightly different and act accordingly.


This “rule of the margins” applies, no matter where the base-rate may be.  Consider a society that is very different from the USA, such as Brazil…

hug spectrum - 05 - brazil

While I’m sure there may be some citizens of the world’s fifth largest nation may disagree with the above chart, it’s quite definitive that they are a much more touchy-feely people than Americans are.  Embraces and even the customary Latino kiss-on-each-cheek are common for all sorts of greetings.  And, as the yellow arrows in the margins indicate: for some people there hugs are only “typical” and not absolute, or on the beaches of Rio during Carnival lots of kissing with strangers is abundant.


An inverse of this can be seen in many Muslim nations, where repressive religious values result in societies around -3 on my scale.  Instead of touching other people, many citizens opt for the salām… a greeting of peace which is often bestowed not with a hand outstretched, but rather simply held over one’s own chest.  Again, in such societies, one does well to be on the lookout for people on the margins… either those who do opt to shake hands or those who are strictly conservative and prefer almost no acknowledgement of strangers (this particularity usually only manifests itself when the interaction is between two people of differing genders.)


So where does this leave us with hacker cons?  Well, let’s turn again to the base-rate as far as hugs are concerned.

hug spectrum - 06 - hacker con

While there are many people who might disagree, I take the position that within the hacker community and at our cons, the norm tends to be the +2 mark on the hug spectrum.  While certainly not obligatory, hugs are typical when meeting new people.  So, when we apply our rule of the margins, what does that tell us?

hug spectrum - 07 - hacker con margins

Individuals whose preferences lay at the yellow arrows should not be made to feel like outsiders or oddballs at hacker cons.  The general attendee base, if they are truly interested in keeping our community a welcoming and accepting place, would interact with each other on the principle that most people are a +2 while at the same time keeping their eyes open to the possibility that a person they encounter could be a +1 or a +3 hugger… social cues and nonverbal communication should hopefully be sufficient most of the time to convey those nuances.


What about actual outliers, however?  At a hacker con, maybe some attendees are the type to simply only hug family and close friends.  Or, on the other end, maybe some folk are the type to be super liberal with passionate kisses for those around him or her.

hug spectrum - 08 - hacker con outlier hug spectrum - 09 - hacker con outlier

In each such case, I do not think it’s wrong for these people to be considered statistical outliers.  They are far-enough removed from the base-rate of that particular environment that it could surprise most others there.  This is not to say that there is anything wrong with someone such as this.  Again, I firmly believe that anyone may hold their own opinions and values when it comes to personal contact, and that they should be able to do so without shame or reprimand.

However, when a person is sufficiently removed from the base-rate, obligations under the social contract shift a bit.  I feel that no longer should it be considered the burden of the group to be on the lookout for and be able to subtly detect when this very different value is held.  If someone is an outlier, then the burden shifts further to them in terms of communicating their values and preferences when encountering other people.

Attire, stance, and demeanor go a long way to helping this communication, of course.  Wearing business-casual clothing and maintaining a respectable distance from others during a new introduction at a hacker con can help to signal that you’re more comfortable with the business-world standard of “handshakes are the norm” but I believe that no one should be thought of as a bad person if they fail to pick up on this.  A friendly but straightforward “hah, sorry, I’m not much of a hugger” can be communicated if someone leans in for an unexpected embrace.  No one should feel bad.  The 0 spectrum non-hugger is justified.  The +2 hug-desiring hacker shouldn’t feel dismissed or shunned.  And the con itself shouldn’t feel bad for cultivating an environment populated by predominantly +1 +2 +3 hug-spectrum folk.


Hug if you want to.  Shake hands if you prefer.  Kiss loads of people or ignore strangers entirely… the choice is 100% yours.  But let this hug spectrum be a guide.  Familiarize yourself with whatever the base-rate is for any environment into which you proceed (people who know me are aware that I’m a huge supporter of travel and experiencing other cultures, the rule applies there, too) and then do the following…

1. expect that most people whom you encounter will probably have values and actions in accordance with the base-rate

2. be on the lookout for people who are just at the margins of the base-rate and let social cues guide you in those interactions so that these people needn’t explain themselves.  it is the responsibility of the group to help them feel included.

3. if you are not just different from the typical base-rate but actually well outside the margins of an environment, be prepared to communicate your feelings and values to others.  in those cases, the responsibility falls to you more than to the group.


Just because a person who is substantially different from the group around them feels the need to communicate that in order to have healthy interactions, that doesn’t imply that they can’t have a positive experience.  I remember reading a very inspiring story which transpired at the 29th Chaos Communication Congress.  One participant was reluctant to attend, due to her Asperger syndrome.  She knew that hackers are huggers and that the CCC events are often densely-packed with people of every stripe.  But instead of letting her fear get the best of her, she chose to attend anyway.  With the support of friends, this person wore a shirt announcing prominently that she didn’t care to be touched directly.

Her blog post was one of wondrous joy and happiness.  The author explained that by and large, the other attendees which she encountered were supportive and very respectful, making the CCC event accessible to even someone who was well outside the base-rate of the Hug Spectrum for hackers.  While the wearing of a prominently-worded shirt might be quite an extreme step to take, it’s just one example of how it is very possible to communicate your differences to those around you and everyone can come out better for it.


I’ll let this blog post speak for me.

I’m a hugger, through and through.  If you see me, feel free to hug me.  If I know you, chances are I’ll approve.  Even if I don’t know you, chances are high that I’ll smile and be happy about it all the same.

Just do me (and everyone else around you) a favor: smell nice.  A recent shower coupled with clothes that have been laundered goes a lot further in making me comfortable during an embrace than whether or not I know whose arms are around me.  😉




Years ago, I posted in a thread on the DEFCON Forums where folk were discussing travel tech.  What bags, what gear, what tools, and what must-have items made life on the road easier and better were all being shared.  In that thread, I posted a rundown of the backpack which I used for carry-on during all my flights.  An array of photos showed the backpack I used and the gear within.

I just re-read the thread and now so much of it is quaint from a time gone by.  A paper book for “take off and landing” times when the Kindle wasn’t permitted was in there.  I used to keep my laptop with me in carry-on.  But, most of all, a lot of things look the same.  What has changed the most is my bag.  I’ve moved to an even slimmer and smaller carry-on, and that’s probably the best advice I can give to anyone who is preparing things like this… GO SMALL.  You’ll force yourself to fit into a smaller space and you’ll carry less gear.

Even now, as I type this post, I am seeing some things that are in my frequent-flyer backpack which are seldom used.  I could prune down even more, I bet.  This post may inspire others to pack smart, but it’s likely going to inspire me to pack even lighter than I used to.  😀

So, without further ado, here is what accompanies me on every single one of my 100,000+ flight miles each year…



I now use a bag from 5.11 Tactical, their MOAB Rush 10 backpack.  It’s a single-strap design that slings over the shoulder and can be adapted for left-side or right-side use.  The single-strap allows the person wearing to spin the bag to their front for quick access to most pockets and it balances the load well, despite only resting on one side of my frame.


The bag has all the customary veclro areas for adding patches, which I have done.  Also the webbing straps allow for extra hooking of gear and other add-ons.  You don’t see it, but I always have a Kleen Kanteen water bottle on the outside, for quick fill-ups once I’m through TSA screening.  Opposite that is an extra pouch that a friend gave me…


This perfectly holds my Kindle.


The add-on pouch is super padded and keeps the Kindle (one of my most frequently-grabbed items) in the same spot 100% of the time.  I used to have a Nexus 7 tablet in there and it also worked perfectly for that.


Also through the outside loops of the bag are some markers and pens.  They are always useful and I keep them on the outside for fast access.  If I lose one, meh, they’re cheap.


The main pouch of the backpack contains four large things and one small envelope…


The main pouch contains a ziplock bag of some spare clothes, a travel wipes packet, a black zipper pouch, and a gray 1st class complimentary sundry kit that I’ve augmented over the years.


The spare clothes include boxers, a t-shirt, and both white and black socks.  I can get through basically any “day after misrouted luggage” whether it’s a meeting, a casual time, etc.  There is also a waffle-knit long-sleeve thermal shirt from Colombia.  I can wear this under (or over) anything I’m wearing on my flights and be comfortable in cold conditions.  Whether a plane is chilly or I’m stranded in Denver for the night, this will get me through the worst of it even without a coat.


The extra garments squish down into that ziplock bag and don’t take much room. They live at the very bottom of my carry-on.


The sundry bag has pretty much what you’d expect…


In addition to the typical things, i also have a spare toothbrush if I’m with a companion, plus eye drops (artificial tears only, NEVER Visene because it’s awful) and nasal spray.  A tiny tin of moisturizer and powder are also helpful in rough flight conditions.


The black zipper pouch is entertainment/relaxing/etc gear.  Lockpicks and a few practice locks are in there.  A BlueTooth game pad controller for emulated old NES and SNES games on my phone is fun sometimes.  Keeping spare spoons, knives, and chopsticks is very helpful for in-flight dining or “stranded in a hotel room and eating stuff from the gift shop” dining.


The envelope in the large pouch is a self-addressed flat rate envelope and some smaller envelopes with forever stamps, in case I ever have to mail something home.  I also have a free pair of slippers from a previous flight (they fold super flat) and some printed-out policies and correspondence from TSA and airlines clarifying policies.


The main pouch has two small additional pouches.


A deck of cards (which I almost never use but can’t seem to stop keeping on me) is in one such small pouch.  The other contains a little case of which I spoke in my earlier post years ago on the DEFCON Forums…


This used to be my “keep in the seatback pocket” case… it had basically anything I’d need while in-flight.  I rarely reach for it nowadays, however, and really just keep it in case someone else in my travel party needs something.  From meds to make you sleepy or settle a stomach or ease pain to gum for ear-popping to power/audio adapters, these are things that are good in a pinch but which I need less and less.  Nowadays, I just listen to my phone via earbuds or I read the Kindle or I sleep.


The tiny pouch built into the shoulder strap has a few things I like to access quickly.


USB charging cables (one 10′ one and one 1′ one) are in there along with my earbuds and a wet wipe.  The LEGO flat bricks are part of an old joke.  If you saw a talk of mine from CarolinaCon you’d understand.  😉


This small top pocket is designed for glasses.  I use it for that and a couple other odds and ends.


Sunglasses are up there, yes, and also some spare floss and a lighter and a USB drive.  It’s also the dumping-ground pocket for loose change, which I empty out after each trip.


This bag has a TERRIFIC additional pocket in the rear.  I use it as a food stash.


In addition to Cliff bars and similar things, I keep a small supply of heavy-duty ziplock bags in there.  I raid lounges for free things if I know I’m headed somewhere that might not have proper food options.  Yes, these little goldfish crackers or the carrot sticks are kind of crappy… but it beats being hungry when you are wheels-down in Moscow and checking in to a hotel at 2AM hours after everything is closed.


The very front pocket is where all of my essential tech resides…


In here we have:

  • A backup power supply for charging phone/etc
  • A universal power adapter for foreign plugs
  • A cigarette lighter adapter for charging in rental cars
  • An orange power splitter which makes me VERY popular in airports sometimes
  • Spare reading glasses (my main ones travel in checked baggage in my laptop bag)
  • Small bag of chargers and adapters (fitbit charger, etc)
  • Pens, screwdriver, little tools
  • Cash Can (google it, it’s great to have a spare $100 bill tucked away somewhere)
  • Notebook (which also holds all receipts and scraps of paper as needed)
  • a backup phone…


EDIT: I’m making a new addition to this post in order to mention the newest addition to my travel bag.  This backup phone is 110% what I’ve been seeking for a while.  Made by BLU, it’s built in the rugged “candybar” style of the classic Nokia brick phones.  It’s a quad-band device, good for coverage in basically ANY place on earth that has GSM networks.  It comes factory-unlocked, so any SIM card should work.  (the model I purchased is actually DUAL SIM, just for the hell of it) the SIM slots are full-size, so including an adapter set is a smart move.  Just leave the adapters sitting in the SIM slots.  The phone supports a microSD card and can do a few extra little things like play MP3s or even tune in FM radio.  In short: if I ever for any reason break or lose my smartphone while traveling, I can have at least basic comms back up quickly, no matter where I am in the world.

This phone costs $23 on Amazon.  For heaven’s sake, order one.  :-)




All of that packs into a bag which is small enough to fit under any airline seat (although I prefer using overhead space, of course) and which is “squishy” and capable of being wedged into overhead bins on both large and small airframe craft.  I can sling it and carry it a variety of ways (even wearing it comfortably on my chest if I have a larger bag behind me somehow) and it sees me through just about anything.

The bag currently weighs 15 lbs.  I’m pretty happy with this setup, and will continue to strive toward reducing its weight and size more and more over time.

Travel well, people.  I’ll see you when I see you.




In a recent podcast interview (The Social Engineer podcast, run by Chris Hadnagy and his team) the topic of DerbyCon came up, and naturally all participants enthusiastically recommended that the listeners attend.  During this chatter, I spouted the oft-heard remark “DerbyCon is the new DEFCON” (a phrase that I didn’t originate but which I have been heard to utter from time to time) and all heads nodded.

In some follow-up on Twitter with nick8ch, we realized that this is a perhaps-controversial phrase and could benefit from some clarification.  So here goes…


“DerbyCon is the new DEFCON” – This is not to denigrate or snipe at DEFCON in any way.  I love that massive Vegas hacker gathering and will keep attending forever.  However, the size of DEFCON and the fact that it’s no longer in small (often seedy) hotels means that having intimate and casual meetings with close friends is challenging and also some antics are harder to pull off than they used to be.  You don’t find yourself just chatting in hallways or hanging out on the hotel roof anymore like was the norm in the past at DEFCON.  DerbyCon, however, has a very very high signal-to-noise ratio and it’s held at a much smaller venue than DEFCON.  Many of the old guard are present, as are enthusiastic up-and-comers.  Folk chill in the lobby bar and it’s not uncommon to see massive penis art in the elevators.  DerbyCon most closely captures the vibe, in my opinion, of the earlier days of DEFCON… but, of course, in truth nothing could ever really be equivalent to that particular place and time in history.  And what’s more, DerbyCon has developed their own wonderful and unique energy that is distinct and vibrant in its own right.

IMG_20140927_225252this kind of thing you just don’t see at on-strip hotels at DEFCON anymore


“DEFCON is the new Black Hat” – This is also a slightly questionable statement, but one that sometimes follows the previous one.  Why?  Well, while DEFCON used to be 100% focused on the friends you knew who were there and the antics/catching-up you could do with them, now there’s a much more significant element of going to DEFCON in order to see people whom you don’t know.  The idea of rubbing shoulders with the latest INFOSEC rockstar or, similarly, getting your research out in front of people who might hire you or invest with you… those are very BlackHat-ish elements that now are common at DEFCON.  I’m not saying that what makes DEFCON great isn’t still there… but there’s a new vibe.  As someone like SpaceRogue or SimpleNomad would say, “the Money that has changed the industry has found its way into DEFCON.”  People take specific steps to “be seen” and portray their efforts at DEFCON in a way that could positively affect their business the rest of the year.  In the past, you went to DEFCON with a “don’t give a damn” attitude about the fact that it could negatively impact your professional reputation the rest of the year.  😉

blah05this is what a “DEFCON party” used to look like

blah06who else remembers the purple fountains? think this could happen at a Caesar’s property?

blah07before it was an official, professional event… the Wall of Sheep was just people being d0x’d or having creds dropped on paper plates on the wall of the hotel

blah08poolside fun and general chill.  i can’t remember the last time i could just chill out at DEFCON.  well, maybe at the Beer Cooling Contraption Contest ever since Uncle Enzo took it over.  😉


“Black Hat is now RSA” – Even more folk might agree with this somewhat unfortunate turn of events.  Full Disclosure: i still appear at Black Hat since my company trains there.  Most of my friends’ companies also train there.  However, the event has ceased to be about the hacker community in any real way other than name only.  Much of the best information is still there, yes.  But the community feel is not.  Put another way: when is the last time you stuck around at Black Hat in the evenings to go to any of the parties?  For me, it’s been years.  Plenty of sponsors host parties when Black Hat is in town, but now the whole INFOSEC core community is either at BSides or the 303 house or just gearing up for DEFCON itself.  Black Hat’s pricing has continued to grow and scale upward with the influx of money in the industry and this has made it a lot harder to find smaller voices among that crowd.  Black Hat was never an event where folk would streak naked into pools or wander through DJ-pumping halls high on a galaxy of drugs, but even those of us who have been appearing there for years know that it’s somewhat more “corporate” nowadays.  The size of the vendor expo area has grown as much as the admission price… but it’s not going away any time soon.  Hence, the RSA comparison.

blah04Black Hat… way back when.

“So if Black Hat is now RSA… What has RSA become?” – COMDEX.  RSA is now COMDEX.  It’s 100% trade show, and any “talks” or other speeches are little more than veiled sales pitches.   A giant sea of marketing with little to no real value to anyone who is key to the industry, most INFOSEC pros whom I know now avoid RSA like the plague.  Confession: when our company was still new, we did a brief presentation at RSA.  It was one of the saddest things I’ve ever been a part of.  I felt like we were just one more piece of a massive dog-and-pony show.  Besides the event itself having awful security and the participants having awful OpSec and privacy practices, the whole affair just reeked of circle-jerk.  I am sure that I’ll piss some people off here and maybe one day I’ll pay the price for that professionally… but perhaps that’s just the old-DEFCON side of me showing through.  :-)

blah01we used a FedEx Kinko’s to mod our badges for access outside of regular hours. we did this at the on-site FedEx, right on that floor of the hotel.  no one noticed or seemed to care.

blah02i can’t even.  “prevents tampering, spoofing, & hacking” … well alright, then.  seems legit.

blah03even Babak couldn’t believe we were there, talking to this goofball 


Feel free to share your thoughts below in comments or just share a drink with me when you see me.  I’ll be at DerbyCon in the fall.  And DEFCON before that… but you can’t find me for so much as a free second at that event.  😉




Well, i finally made it.  I’ve completed another House of Cards marathon.  This one wasn’t as rapid and blitzkrieg-ish as the first or second season was for me (both of which I’m fairly certain I watched in almost one or two sittings… just powering though.)

This season, however, I just kind of got to it as I found the time, on this recent business trip.  I wasn’t watching each episode one after the other, as if I couldn’t look away.  No, this time… it became just a long, awful, grueling slog.  I just wanted to see it through, like having chosen an awful hiking trail, yet not being willing to turn around and head back to the car but instead pushing on to the next shelter or campsite because… well… it’s just something you feel you have to do.

And, as any hiker in that situation can tell you, the mix of feelings and emotions that overcomes you at the end can be gut-wrenching.  This blog post is part of my necessary catharsis.


Phew… I am done with watching House of Cards.  And I do not just mean in the sense of completing season three.  I am done for good.  Yes, I know they left it (as they so often do) with such a compelling plot point as to coerce people to tune back in next time.  I don’t give a single damn.  Do so if you want to see what happens.  Me… I’m out.

How can I react that way, given the last episode’s breaking updates and everything left on edge?  It’s easy: I no longer give the smallest shit about any of the characters.

Let me explain it this way.  Were I to start viewing season four — for reasons beyond understanding — imagine the first episode were to just be a cold-open set in a hospital or medical center.

[indistinct voices over a tinny PA system, paging some medical tech to another floor, etc]

[camera shot looks through the cracked door of a specialist’s office, as we see her at her desk, looking at files and addressing a character who is out of frame, but clearly seated across from her… the camera pushes in and a tracking shot brings us into the office where the discussion is taking place. There is a severe look on the doctor’s face.]


Doctor: “I know this comes as a shock.  But we’ve checked it twice.  I’ve even sent one more sample to the Jennings Institute in Atlanta, but at this time we have no indications that they will come back with a different result.  I’m sorry, but the evidence is clear.”

[camera pans down slightly, as to showcase more of the chart in the doctor’s hands.  the top of the image still frames the lower-half of her face, and we see her mouth as she reads the diagnosis]

Doctor: “You have cancer of the AIDS of the eyeballs.  And it’s inoperable.”

Then I imagine the camera makes a rapid yet smooth track toward the doctor’s side of the desk, and pans directly across to reveal seated before her…


I honestly could not goddamn care.  I have so little empathy, sympathy, or even general interest in ANY of the characters on this show, that my reaction to such horrific and life-changing medical news for them would be a resounding, “meh.”

Remy has eye-AIDS-cancer?  Meh.

Claire has eye-AIDS-cancer? Meh.

Doug has eye-AIDS-cancer? Meh with a side of karma.

President Underwood has eye-AIDS-cancer? Meh with half a chuckle.

Jackie Sharp has eye-AIDS-cancer? Double Meh.

Heather Dunbar has eye-AIDS-cancer? Meeeeeeehhhhhh.

You could put any one of this show’s dozens of characters into that (ridiculously contrived) opening sequence in the very first moments of season four and I would feel utterly nothing at all for them.  The camera could linger on their face.  The highly-trained acting talent of so many quality actors on this program could be aptly applied to the ever-so-subtle slightest microexpression that crosses them.  All of the tremendous production values and talent of the people who are behind this program could be poured into that opening scene.  And I wouldn’t give a single damn at all.

The fact that I don’t care a jot about anything or anyone on this show anymore should come as a relief to me.  I don’t have to watch.  I utterly LOVE cutting TV shows out from my life.  I never got into Breaking Bad.  I’ve written off Mad Men.  I barely bother downloading Family Guy or the Simpsons anymore.  I celebrated the ending of the West Wing.  With each show that ends (or gets the kiss-off from me) I have more free time and I’m thankful.

So why don’t I feel so exuberant now?  Because season three didn’t just turn me off from the future of House of Cards.  It was so underwhelming as to literally taint the previous installments.  The first two seasons were a triumph.  The ending of season two, with Frank behind the desk in the Oval Office, rapping his fist twice on the Resolute wood… that moment was untouchable.  And now, it’s like they’re all just compromised to me.

Ah well, I was raised Catholic.  And before I left the church long, long ago… I learned of the power of self-persuasion and the ability to put on blinders so tightly as to convince oneself of a fiction that you just need to be fact.  Now, I was never one who actually bought into all that bollocks… but maybe, just maybe, if I try hard enough I can forget that season three ever happened.

Hell, if the fans of The Matrix can believe in their hearts that two sequel films never actually took place, maybe with enough will power (or enough whiskey) I could blot out this season from my mind.  And, one day in the future, if someone asks me if I enjoyed House of Cards, I could honestly answer them, “Yes.  It was quite an amazing show, those two fine seasons it was around.  And to end the way they did… with that swelling music score and ghastly foreshadowing of a presidential administration to come.  I’ll never forget that final scene, as we looked right into Kevin Spacey’s eyes and he looked into ours.  Rap Rap! on the desk… smash-cut to black.  A perfect ending to the show that redefined what it meant to distribute new and fresh content in the digital age.”
(And then if they start to protest and try to say anything about a third season or anything that may follow, I could always Catholic it up just a little bit and stick fingers in my ears, walking away saying, “La la la la la, I can’t hear you, la la la la!”)
P.S. – Correction.  If for some sadistic reason the writers were to give Old Freddy (the ribs joint fellow) Cancer of the AIDS of the eyeballs, I would feel something.  But I still wouldn’t watch the next season.

This short rant is probably unnecessary, given that anyone who sees this post will probably either (a) instantly agree with me, thus obviating their need to actually read this, or (b) not think there’s any problem with this behavior, in which case my words here aren’t likely to help them improve themselves… or help them find a fire to jump into.   (Pity, because either of those actions would benefit the rest of us massively.)

It’s 2015.  We all have smartphones.  They all have cameras.  With that great power comes great responsibility.

Most people understand that it’s not polite to whip out your phone and attempt to photo something in, say, a restroom.  Many people have learned that their friends online probably do not need to see pictures of every single comestible about to be put into someone’s mouth.  However, time and time again, I encounter one incredible failing of social grace that seems to persist even while most people are learning all other forms of smartphone etiquette.  So I must ask the question…

Why are some of you jackasses trying to record concerts and other performances??

I understand that you may be particularly pleased to be experiencing melody, dance, and voice to your liking.  I understand that you may wish to preserve this moment so as to experience it later… but that is why we have cognition and memory.  Please use your own evolved human brain and remember the performance by simply paying attention to it and enjoying it.  You’d think this would be obvious, but that is not the tactic employed by so many people.

Nowadays, no matter the venue or the genre, it’s not uncommon to see one or more jackasses holding up smartphones and attempting to record the event, ostensibly for later viewing…

Recording Performances with Smartphones


Of course, there are a number of problems associated with this idiotic behavior.  Let’s make a short list of them here…

1. Doing this bothers everyone else

2. Doing this means you are not actually paying full attention to the performance you are spending the time (and probably money) to attend

3. Doing this yields invariably shitty results

4. Doing this is often unnecessary

Please take these criticisms to heart and understand that everyone else in the theater (at least, everyone behind you) hates you when you are holding up your smartphone or other device.


1. Doing this bothers everyone else 

I’m going to borrow a line from Maddox when it comes to the use of phones or pretty much any other kind of technology in a darkened theater…


No matter how much you think that you have turned down the brightness on your screen or how well you are attempting to hold the phone close to your body (which almost no one actually even makes the effort to do) it is painfully bright to everyone else behind you.

You think that your phone looks like this…

What you think

When in fact it looks like this…

What we see


2. Doing this means you are not actually paying full attention to the performance

Many of the photos in this blog post were taken by me (yes, I realize the irony… but understand that I was actually in the back of the theater) during a performance by the famed Irish musician Danny O’Mahony who had traveled all the way to Montana.  This was a rare and wonderful opportunity to hear a talented and worldly performer and storyteller.

Yet, during the evening, there was no shortage of jackwagons with their smartphones and cameras, attempting to record.  One woman was so painfully inept that she spent the better part of the evening scrolling through menus and configuration settings on her phone while almost never successfully recording anything that she wanted to…

Idiot woman

… and another man in front of her was attempting to only record the song segments of the evening, but this meant that he had to hustle and shuffle around at the start of each piece, attempting to unlock his phone and start the video footage.  He was cutting off between 5 and 10 seconds at the start of every song.

And then, as if to put a cherry on top of this shit sundae, down in a front row we got to see… iPad man.

iPad man

If you thought smartphone people were the worst in public, you were wrong.  That honor goes to the more elusive but also more idiotic creature known as iPad man.  Using your iPad as a camera (or a videocamera, no less) in public is just about the most inconsiderate thing you can do to others.  The massive screen is not only brighter, its sheer size makes for blocked views behind you, too, due to simple geometry.

iPads are our generation’s Fanny Pack… no one looks cool with one out in public, and the fact that they hold more than what you can put in your pocket means that the most gauche among us think they’re the greatest thing ever: capable of storing loads and loads of crap that no one needs or wants, and allowing you to collect more along the way.


3. Doing this yields invariably shitty results

Travon Free said it best during an old installment of The Gentlemen’s Rant


No matter how steady you think your hands are or how great a view you have, etc etc… nine times out of ten, any recording that you make on a smartphone during a concert or other performance in a theater space is going to turn out like crap.  The lighting will be severe, the resolution will be blurry, and almost always the sound will either be muffled or full of clipping due to levels that aren’t right for your shitty little microphone which your hand is blocking half of the time.

Regardless of the quality of the recordings, I’d wager that most people aren’t even going to bother playing those clips in the future.  Not for their own pleasure, not to show friends, not for anyone.  These are just recordings that will take up space on their device, and which bothered everyone when they were being filmed.


4. Doing this is often unnecessary

This would be the most hilarious part for me, if it weren’t quite so sad and annoying.  Many, many musicians and other performing artists nowadays have roadies (or just good friends) with professional gear and genuine skill who record their performances for them.  That was even the case during this concert in Montana…

professional recording

…when it was all over, I shared a laugh with the cameraman who had set up in the back corner and had captured the entire performance with a long zoom lens and board-level sound input.  This kind of set up is no longer the exclusive purview of headlining bands that sell out stadiums.  Check your local artists’ youtube or twitter pages, chances are the have recordings of the shows that you attended.  It’s very possible to enjoy can enjoy the melodies and lyrics again and again without having to bother anyone around you.

So, please… if you’re the type of person who feels inclined to whip out your smartphone and record during a concert (even just for a song or two), STOP.  Just stop.  The results are ass and you are annoying the hell out of everyone else.

If you really, really want to enjoy the concert after-the-fact and your mind is too addled and fried for you to remember it with sufficient clarity, contact your artist and ask them about a recording.

Or, do what all proper dedicated fans do at shows where crowd recording is encouraged (hint: it’s the same thing plenty of dads did back in the 80s and 90s with their camcorders at school plays and the like)… position yourself in the very rear of the theater and learn how to document a show properly.  You may not be 100% “present” for the performance as it happens, but at least then you’ll have a fighting chance of producing a recording that is worth something to you and others after-the-fact.

Or maybe it won’t be, because you’re a nimrod and can’t operate your camera.  I don’t care either way.  Just stop doing it in front of the rest of us, lest we start resorting to pouring drinks on your head “accidentally” when we get up during a break.

So, i cannot believe the volume of tweets and discussion that this all generated.  :-)  Loads of people replied to me on Twitter (that link is just one of about a dozen conversation threads that rattled away) and the answers I saw were wide-ranging.  Of course, there were more follow-up questions than there were actual answers, i think.  :-)

People disagreed if the distances should be calculated based on surface travel or as the crow flies.  The great-circle theorem and Haversine formula were linked.  We all mentioned that moose do not fly.  Someone asked about the moose stealing a plane.  The question was clearly phrased with the words “running” and “walking” and no moose-bearing plane could fly at those low velocities.  Someone asserted that moose COULD fly and someone started working on art to show this.  Someone else asked about the forward surface area & air resistance of an adult moose.  My house mate responded that this should already be presumed to be factored in.

On the ground routes, people disagreed over whether the moose would use Google’s walking or driving directions for route planning.   I stated that while I hadn’t considered that, the photo in my blog post clearly shows the moose on a road, near a car.  Someone asked if that was just a moose CROSSING a road.  Bruce Potter brought up the issue of moose and swimming.  Noise and Aloria both asserted that moose do not proceed across the landscape with any urgency and often stop to rest and eat.  People discussed whether a moose could hijack a car.  Someone else asked about a moose with a jetpack… clearly irrelevant, but now that’s all I can picture in my mind and I wish to see Congress appropriate funding for the development of this technology.

And there were no shortage of people offering theories involving the Philadelphia (or, alternately, the Cleveland) moose being drunk, a brawler, or eager to leave his or her own city faster.  Space Rogue pointed out that neither city is part of the natural range of any moose so that the moose “From Maine” is the winner because that moose actually exists.  It was also pointed out that I did not specify which Cleveland in my original question.

I was inclined to give a prize to Carl Numbus…

But ultimately, here is how I was calculating things…

Cleveland, OH moose has to travel 369 miles and at 25 M.P.H. this takes 14.76 hours
Philadelphia, PA moose has to travel 138 miles and at 10 M.P.H. this takes 13.8 hours

ANSWER: the Philly moose should get there ~58 minutes sooner

It turns out that the first person to actually tweet to me was the one who came the closest to the answer I was expecting.  He followed-up with the answer in minutes shortly thereafter and was therefore declared the winner in my book.  He can email me this week and purchase a spare ticket I had grabbed for face value.

Thank you to everyone and I’ll see you in Washington, D.C. this January!




– — —– ———-[ ORIGINAL POST ]———- —– — –

Two moose are going to ShmooCon.


Moose 1 runs from Cleveland to Washington D.C. at 25 Miles per Hour

Moose A walks from Philadelphia to Washington D.C. at 10 Miles per Hour

If they start at the same time, which moose gets there first and by how many minutes do they beat the other moose to the finish?  (Plus or minus 5 minutes)


First person to tweet the answer to me gets to buy a spare ShmooCon ticket at face value from me.


Thank you to everyone who reached out to me, helped spread the word, helped re-tweet, and did things I don’t understand on the Facebook, something of which I am not a user.  😉  Extra big thanks to Heidi Potter whose exceptional efforts in spreading the word came to the attention of some other hacker friends elsewhere in PA.  Their cat has been lonely ever since her companion bunny rabbit in the house passed away.  They reached out and so lovingly offered up a home for Chico and Mouse Face.

The actually process was nothing short of a catastrophe, thanks to the badly-managed and logistically broken SPCA here in Pennsylvania.  Despite making all arrangements with the Philadelphia office to have the cats held and waiting for their new owners on Friday, things went awry.  The new folks were driving all the way down from the Poconos to meet me in North Philly at that SPCA office when I learned that, with NO explanation, the cats had been MOVED many hours away.  So, abruptly and after having almost made it to Philadelphia, they pulled off the road, I spent time on the phone, and we tracked down the cats like prisoners who had been mistakenly lost somewhere in the DoC network.

In the end, we all arrived at the Danville, PA SPCA and it was so dysfunctional that over an hour passed before things could be completed.  The administrative “do not adopt out” holds that had been placed on the cats’ files could not be removed, then the staff kept attempting to attend to dozens of other odd tasks at the same time, and even (surreally) a farmer and his wife came in and started trying to talk to everyone present about a sheep theft from their farm.  This was a case of over-worked staff trying hard to do “everything” at the same time and ultimately doing nothing at all in the process.  Eventually, we took matters in to our own hand and took the carriers back to the holding areas and sprung Chico and Mouse Face from their cage.  They were so scared.

This is the most morally-conflicted part of the tale for me.  I mean, I love the SPCA and the work that they do and I am SOOOO grateful for the organization’s No Kill policy, but let’s face it… it’s kind of a hell hole back in those holding areas.  There are just row after row of huge barracks of cages.  All the animals are stirred up and constantly yowling and yapping and howling.  It’s really like some sort of awful jail to them, where everyone is shaking and unsure of what’s going on.  Chico immediately ran into my arms when I popped the lock on his cage.  Mouse Face was initially hard to find… he had hidden himself beneath all of the bedding and cushions in the cage.

In the end, we got them secured and finished all the paperwork, petting them the whole while…




And, many dollars in fees later, my friends were taking them home.  Getting a photo sent to me later that evening showing my pair of cats resting comfortably and undisturbed on nice chairs like regular pets set my heart glowing and lifted a tremendous weight from my shoulders.

cats home

Despite all its logistical failings (and the stories we heard from staff and patrons while waiting were manifold… Transport services often moves animals incorrectly, people lose paperwork, medications are handled incorrectly, etc etc etc) the SPCA is a wonderful organization and deserves our support.

And, of course, if you are thinking of bringing a new pet into your home… please consider adopting from shelters or other services where animals without homes are waiting for you.

Thank you.  And thank you to all my friends who helped make this one of the best Holiday Seasons ever for me.

Much love to you all.

– — —–[ ORIGINAL POST]—– — –

As some folk who know me are aware, I am the owner of two adorable and friendly cats — Chico and Mouse Face — who deserve more love and attention than I can provide at this time.  When it was me and my then-girlfriend, someone was always around.  Then it was just me, plus other housemates from time to time.  Now… it’s just me.  And I am out of the area (and out of the country) more and more every month.  My time is becoming divided between D.C., Montana, Europe, and the Middle East.


chico 01


Because I am spending as much as half of my time overseas for the foreseeable future, it was undeniable that this was not fair to the cats or to any friends whom I would ask to look after them when I’m away.  I was forced to seek a new home for them where people were around more often and they would not get so lonely.  One friend pitched in for a while, because he shelters animals with no place else to go.  In his tiny 2-bedroom house he was caring for 5 cats but still agreed to give Chico and Mouse Face a good home.  This arrangement was imperfect, but for the past few months it’s been what we had to do.

mouse face 01

Mouse Face


Now he is forced to take on an 85-lb Labrador pup because of an owner who was urgently called out of the area on a legal matter.  The situation at his place reached a breaking point, and my cats had to move on.  After trying for weeks and weeks to ask anyone whom I knew, it was clear that we were out of options.  With the dog deadline day looming, the hardest thing I can recall doing in my life was to take Chico and Mouse Face to the SPCA and offer them for adoption.  The PA SPCA has a no-kill policy and Good Home Guarantee if the pets meet proper health and personality criteria.  Many medical tests, many fees, and many tears later, they were being accepted back to their new cat condo in North Philly.

Because they are a pair, that means they get a little more space at the shelter.  But it might also be harder to place them.  So I am turning to the Internet for help.


kittens 01


These two cats are both almost 8 years old and from the same litter.  They squabble on occasion but always make up soon after.  They are both fixed and have clean medical histories.  I will supply their new owners with treats, toys, and also their hardware.  What hardware?  Well, these two cats use an automated feeder that dispenses their servings at the right time of day and a water fountain that recycles and cleans itself.  My buddy also still has their pet carriers.  All you’d need to provide is love.

If you are from anywhere in the tri-state area or even as far north as New York or as far south as DC, I would totally make it cost-neutral for you to adopt these two lovely, lost souls.  I will cover all fees at the SPCA, help you with mileage to and from here, and even take you out for a meal (I’d want to do that anyway, to get to know you.)

If anyone in the hacker or tech community is willing to open their home to two little animals who need more love than I can provide, I can’t say what a difference that would make for my Holiday Season.  It’s all I want for Christmas.

Please feel free to email me anytime…



I’m totally not above trying to play on your emotions here.  So allow me to just say: here are my two cats looking up at you, hopeful that your home would be right for them…



And I’d like to tell you a little bit more about them.  Chico loves to explore in order to find new places to investigate…

2012-03-22 16.05.34

… and Mouse Face loves to explore in order to find new places to sleep…

2012-02-12 15.05.32

… Chico likes to sleep, too.  But his favorite sleeping spots tend to be under covers (see the white feet sticking out)…

2012-01-16 14.36.21

… some of Mouse Face’s favorite spots are boxes…

2012-01-24 13.04.21

… but what cat doesn’t like boxes?  Chico also appreciates them sometimes…

Chico in a Box

… Mouse Face always gets told how a brave and well-behaved he is, even on trips to the vet…

2012-10-05 15.36.00

… but mostly these two just like to lounge and stretch out and spend their day sleeping. Next to people if possible, but on any soft surface is all they ask…

2012-11-07 8.06.29

… well, that and tummy rubs.  If you see this inviting pose…

2012-02-23 13.58.50

… then you shall know immediately what time it is!


Please let me know if you think you have extra belly rubs to give to deserving cats this holiday season.  Thank you.

In mid-November, Twitter follower Kevin Anderson asked me about a firearm lock box product called the GunBox.  Every now and then, because of my general interest in teaching and presenting about firearms and gun technology folk will reach out with such questions.  Often, the safe and lock box inquiries come my way because of a presentation I gave at DEF CON 19 regarding the relative security (or insecurity) of many popular firearm lock boxes.

According to the manufacturer’s web site, the GunBox “has cutting edge technology, state-of-the-art design, and incredible features that make safely storing firearms with quick access a reality” and it is “the ideal way to Defend Responsibly.”  As you will see from the analysis below, while the GunBox is as effective as any other low-cost firearm lock box (most of them retail in the $150 – $300 range and the GunBox is within this zone, albeit on the higher end) at preventing a toddler from accidentally laying hands on your gun and having a terrible accident, it is not at all suitable for long-term storage or for deterring criminals or even curious teenagers.

The staff who monitor the GunBox’s Twitter account were not keen on discussing how their hardware functions, but it becomes apparent from the moment that you open up this unit how their lock (and also the bypass/override method) works.  Honestly, this is the first thing you see when the lid is open.  I didn’t even have to take the internal compartment apart or pull back any rubber or plastic elements.  Because the bypass method is so painfully obvious, I do not have any real ethical qualms with documenting it here.  The manufacturer is more than adequately aware of how this works and (it would seem) has no plans to change how this feature (or “vulnerability” depending on your point of view)  is implemented.


Amazon has this item available via Prime shipping, so the unit actually beat me to my house.  I ordered it a couple of days before flying home from the Persian Gulf and it was there when I arrived.


Upon opening the unit, one immediately can see the latching mechanism that keeps it shut when closed and locked.  There is a small peg with a metal cone on its tip sticking up from the base…


… and this peg interfaces with a pair of sliding metal plates in the lid that form a hole which can expand and contract via spring pressure…



As the lock box can be closed just by pressing the lid shut, one can immediately discern that the metal plates slide apart simply by any force acting upon them.  The lock and circuitry mechanism is not needed to cause them to move…




As mentioned by the GunBox folk on Twitter, the unit ships with a small hex head Allen key which can be used to bypass the main locking mechanism and open the box if other methods fail to work.  While the conversation they had online was intentionally vague, they attempted to indicate that the Allen key was simply “the tool that is used [to access the bypass hole]” and they went on to state that “the manual override is not that simple.”  This is patently false.

Yes, the hex head bit is used to remove a small set screw in the bottom of the box, exposing the bypass hole.  After that, however, the same exact tool is inserted and simply wiggled from side to side.  That is all.  That’s the entire attack.  The shaft of the Allen key interacts with this small slot on the metal plates…


When we opened up the box and look at this, you can see that we figured it out in seconds.  The following video (which was Take One of the whole analysis) shows the process unfold.  Not only did we figure out the attack in short order, but it was trivial to perform.  It took me about 15 seconds to seat the handle of the Allen key in the correct slot the first time, then 5 seconds later the box was open. Subsequent attempts took under 10 seconds total.  It’s a process of (1) insert, (2) rock the handle of the tool toward you and therefore angle the inside tip of the tool rearward, (3) find the bypass slot in the metal plates, (4) press the tool to your right and therefore disengage the upper plate which moves to the left inside the box, (5) press the tool to your left and therefore disengage the lower plate which moves to the right inside the box, (6) the box is open.


(If for any reason that video becomes unavailable on YouTube, I’ve also uploaded it here on Vimeo)


There were quite a few things that I found disturbing about this whole process…

1. This entire bypass process was monumentally trivial to discover and to perform.  The fact that anyone could speak of this as though it were some massive secret is astonishing.  The bypass hole and the slot in the plates where it is performed are immediately visible to anyone operating the safe or even just glancing at it when it is open.

2. There is no evidence at all that the bypass is used.  The safe doesn’t appear to have any logging functionality if the latch is released manually.  The small set screw could be secured with a tamper-evident seal (although, as The CORE Group will tell you, tampering with security seals is often a very valid attack vector, as well)

3. The unit does not alarm if the lid is made to open up without any valid credential or token associated with that event. (For instance, by bypassing it.)  There is no reed switch or contact switch to tell the GunBox if the lid is open or closed.

4. In general, it was surprisingly hard to actually set off the “tamper” alarm at all.  I could not tell what manner of conditions cause it to beep, but as you can see in the video a lot of jiggling and banging did not set it off.  Apparently, only totally tipping the unit vertically seemed to cause the alarm for me.  Maybe I was doing something wrong.

5. The fingerprint reader and RFID tag appeared very unreliable in their operation.  Again, I’ll leave it to GunBox to respond… maybe I was making too many repeated attempts with fingerprints and mis-reads of the RFID tag and this caused some kind of delay/timeout period to trigger.  In general, however, I would most assuredly NOT trust my safety or my family’s security to this unit during a tense situation when a firearm was needed quickly.

6. The RFID technoloy used looks highly clone-able.  Babak is still in the Gulf for another week, but once he gets home we’ll test the RFID tokens out with his ProxMark.  I’ll wager dollars to doughnuts that these RFID credentials have zero protection against cloning and copying.  That will constitute Part Two of this review and analysis.


Beyond all that, the unit appears to be your run-of-the-mill firearm lock box.  It is spacious enough to store one (or more) pistols or revolvers of adequate size…




… and I even hit on an interesting phenomenon: when I had two of my H&K pistols in this box together, they obscured and occluded the bypass hole and made it unfeasible to perform the manual override opening technique…


… of course, given how shaky the fingerprint and RFID readers were on the GunBox that I was testing, I don’t know how wise it is to lock up any valuable pistols with the override disabled.  😉

Honestly, though, if I were forced to choose between a lock box that offered almost no protection versus a box that was unreliable but had no bypass opening, I’d probably go with the latter.  Were I to own a GunBox, I’d use some ThreadLock (the red permanent kind, not the blue light-duty variety) on that little set screw and feel a lot better about the unit.  But that’s if I were somehow forced to use this.  In the end, my plan will be to let my buddy tinker with the RFID controls, then box it all back up and return it to Amazon.  The folks at GunBox have stated that they “do not want everyone knowing the manual override” but I can’t imagine how anyone would predict this information not becoming public.  They have taken utterly no steps to obfuscate or protect the bypass feature.  Ultimately, of course, security engineers know that the best way to prevent details of a backdoor in your system from becoming public is to not design a bypass in your security in the first place.

Personally, I’m very happy with my MicroVault and LockSĀF products, since I’ve modified their manual override locks for greater protection and robustness against attack.  And that’s just for times when I need a quick-and-simple solution in my home or my car for carry pistols.  Essentially ANY small firearm lock box tends to be something designed first and foremost to prevent little hands from causing a negligent discharge and then –only secondarily– to guard against some forms of basic quick theft attempts.  Small firearm lock boxes should NEVER be though of as guns safes and they should not be considered a means of housing and storing valuable firearms in a permanent way.  Only my daily carry pistols are kept in small lock boxes.  My main collection all resides in heavy-duty Liberty safes at the various homes where it is housed.

That’s just my two cents.  Feel free to do your own testing and do whatever you feel is right and best for you and your loved ones.  Stay safe out there!