Comments

Arclight December 19, 2024 10:35 AM

Back when they took mail theft seriously, this might have worked. In the mid 90s, we had a problem with the mailboxes at work being broken into. They sent two men with guns from the US Postal Inspector who investigated and also placed a new cluster box free of charge.

When I had checks stolen last year that I had actually mailed from inside the post office, they did nothing other than letting me fill out a report online.

It was later in the news that a gang has been stealing bulk sacks of mail from the loading docks.

This sort of thing used to be treated like bank robbery, and now you just get victim-shamed because “Why did pay with a check?”

Some systems are much more fragile when deterrence is no longer part of the strategy.

Aggelos December 19, 2024 10:36 AM

In the meantime, here in France, and I suspect other countries, all the mailboxes are master keyed (there’s even a master to open a whole wall of mail boxes).
You can buy the set on any platform, just look for “clé PTT” (PTT is the former name of France’s postal service)

The rationale is that it’s not forbidden to open a mailbox or even check its contents, but it’s criminal to even slightly tamper with a person’s mail.

Not that it helps a lot, mind you, when your mail is stolen, which tends to happen a whole lot around Xmas

Noah December 19, 2024 10:49 AM

You don’t even have to rob them. If you can get a few minutes alone with your own mailbox, you can take appart the lock, measure the pins, and then go file your own master. Mastered keys have two upper pins in each location, the master is always the higher cut. And of course once one person knows the numbers, that info is easily shared.

unsurprised December 19, 2024 11:08 AM

If you have ever managed your own physical security, you ought to know you can tell by the number of krys on your keychain how many unique keys you have…unless you keep multiple keychains.

Besides that, locks cam be picked. They really just slow thieves down more than they keep them out.

Human “guard labor” can do things that locks cannot do.

Clive Robinson December 19, 2024 11:10 AM

@ Bruce, ALL,

This “One Key rules them all” as a master key is useful in buildings with multiple floors and manpower hierarchy for cleaning, security, maintenance, and management.

As such it’s been around for oh a century or more. Thus locks with one or master keys is in some way the default by the lock industry (something I had familiarity with in the 1980’s).

Now take a block of flats or similar with “post boxes” in the foyer. The posty comes in the first front door and puts stuff in the boxes. However all to often a letter/package won’t go in the slot. And as the posty often won’t actually have access beyond the next set of doors to where the Reception desk is, the posty can not just leave it.

So from an employers perspective a posty is more “productive” if they can just open the mail box and shove the letter/packet in…

Which brings us to,

“… but it’s very fragile security.”

Ask the $64,000 of,

“Who cares?”

And the answer in the US and similar is,

“Only where there is lawful liability that might get acted upon”

Obviously the posty neither cares or has liability if they follow the rules. The same with the posties immediate manager.

And so it goes up the hierarchy.

But also consider what comes in the oppisit direction,

“The ever present drive for cost saving and increased productivity”

As is the neo-con capitalist way…

If all the keys are the same that reduces not just direct cost but indirect costs as well in oh so many ways.

Thus the way “security” is dealt with is to stamp the keys so they will not get copied by “Diligent and honest” locksmiths. And each and every posty has to sign a piece of paper saying “they’ve read the official rule book”.

Of course as I’ve mentioned before, this “security policy” is broken because it did not cover somebody who is not even a teenager getting “needle files” and cut / impression their own master keys for all sorts of locks. For my sins it’s what I did back in the 60’s and into the 80’s first for fun then as a side line in Pirate Radio with “Fire Brigade” or “FB” keys and Otis and other “Lift Keys” for tower blocks.

As I’ve also noted you just have to photograph a key, you don’t have to get your hands on it. Which is why it was so funny when the DHS released a photo of their master keys for getting into peoples luggage.

Of course today with 3D Printers you can make a plastic key from photo to in your hand in just a few minutes.

More fun the plastic used in 3D printing can be used like a “lost wax process” where you use a low temperature melting solid as the plug in a green-sand or similar liquid metal casting system.

People do such casting at home to make very finely detailed parts for model trains and also the likes of “War Craft” and similar figures.

So the ability to make or cast a key is fairly ubiquitous, not that those who set up these dumb security systems will admit that.

After all as Upton Sinclair noted a century or so ago,

“It is difficult to get a man to understand something when his salary depends upon his not understanding it.”

EB December 19, 2024 11:21 AM

Firefighter keys and telephony access systems are similarly insecure. Many commercial buildings, apartments, and the like to have a lock-box containing keys to the building which are then “protected” by a key that the fire department has. Some states have even legislated the exact key (and bitting) that is required to be used. So they can be looked up in the published statues and bought online. Deviant Ollam did a great presentation for B-sides in 2017 titled “I’ll Let Myself In Tactics of Physical Pentesters” (the keyed-alike section starts on slide 85 or at the 31 minute mark).

EvilKiru December 19, 2024 11:28 AM

There seems to be a misunderstanding here of how cluster mailboxes work. The master key doesn’t open the individual mailboxes. It opens the back of the cluster, giving the mail carrier access to insert mail pieces and/or package locker keys into the individual mailboxes, because having to open each individual mailbox in the cluster to deliver the mail would take too long.

Harry vc December 19, 2024 12:16 PM

Consistent physical master keys in not all that unusual – at one time (and maybe still true) you could order the keys for ATM Shells online.

lurker December 19, 2024 12:29 PM

A single master key has been a feature of keyed systems since whenever. The interesting part is, when a postal carrier gets robbed the US POstal Service,
1. Doesn’t tell the box users, and
2. Replaces the locks with “electronic” locks

It might be optimistic to hope they factored in the cost of replacing 49,000 locks when they went for a single master. And the count starts now for when the electronic ones get picked/hacked.

Ian Mason December 19, 2024 3:19 PM

Who needs to rob a postal worker? An impresioning attack would allow one to make a key without ever having had sight or possession of an original key.

Mexaly December 19, 2024 5:53 PM

There is always a master, master key.
Especially for hotel safes.
And did you think the USPS was good at security to begin with?

Donald Grimes December 19, 2024 8:51 PM

When I was a grad student at Berkeley over fifty years ago, the design of the locks in the Physics buildings was such that the higher in the hierarchy a key was, the less metal there was on it. That meant that any key could be converted to a master key by judicious filing. Long ago, some grad student got ahold of a master key and copied it onto his peon key. After that, every grad student had a master key. The faculty all knew about it; no one abused the privilege; sometimes it was very convenient. But definitely security theater.

Bernie December 19, 2024 11:28 PM

I was a USPS postal carrier for a short time at several different post offices… over 30 years ago (and not in Denver). At least some things have changed since then, but still don’t take anything I write as necessarily current.

“Master” keys seemed common, at least for regular mail, which doesn’t get a lot of protection. (Insert UDP reference for those familiar with TCP/IP.) More important mail — such as registered mail — was called “accountables” and had more protections.

As someone else pointed out, the banks of mailboxes that are common with apartment buildings/complexes have a “master” key that doesn’t open any individual mailbox. It provides access to the whole set of mailboxes at once. (Mail delivery is faster that way.) There is no reason to have a master key that works on all the individual mailboxes. Plus, when you need to replace an individual lock, it is easier if you don’t need one that works with a master key.

The “master” key is a USPS-only key. The letter carrier will use it to open everything they need to open on their route. I do not remember if different routes had different keys. These keys — at least the ones I used — were a different kind of key, one that I have only ever seen at the USPS. Access to an individual mailbox lock or key would tell you nothing about the “master” key.

What people tend to think of as a master key doesn’t match this USPS-only key. For example, if you changed the locks to your house/apartment/etc. so that the front and back doors use the same key, you probably would not call it a master key. (Well, I suspect the readers of this blog would not call it a master key.)

ResearcherZero December 20, 2024 3:38 AM

Now you are told that you should use encryption because everyone is reading your mail.

The hierarchy has been the same for the last fifty years. There is so little discussed in open that now many believe the fantasy of television shows over the few details released.
It’s not good for democracy and leaves politicians far too much cover to hide behind.

Every now a then someone is made and example of. To pursue their own personal agendas, aspiring candidates now repeatedly throw “red-meat” to voters. Wise policy has been replaced with wedge issues and crude remarks designed only to fire up the base. Consumed by infighting and personal ambitions, for decades now — politics has dropped the ball.

National security and social cohesion instead ignored in favour of short lived political opportunism. The contracts change but the song remains the same.

‘https://www.abc.net.au/news/2024-12-11/ex-asio-officer-neil-fergus-raided-after-four-corners-appearance/104709584

Don’t talk about long-dead moles with dead-drops from 50 years ago.
https://www.kyleorton.com/p/soviet-espionage-victory-australia-ian-peacock

ResearcherZero December 20, 2024 4:03 AM

Convenience often leads to lazy behaviour and self-defeating excuses for that behaviour.

The government keeps many secrets because they are embarrassing. Foreign governments have greater access to classified material than the public, yet they do not share them either as in the long run, it helps to undermine their adversaries. Keeping too many matters secret leads to rumour, speculation and eventually conspiracy theories which undermine trust. The very breakdown in trust that governments hoped to avoid with secrecy.

It’s all a little bit silly, yet it leads to very dire consequences in the end.

“The government itself admits vast overclassification. I think Donald Rumsfeld, when he was secretary of defense, had a deputy testifying before Congress who was asked that question directly, and she said, well, probably 50%.”

‘https://www.cnn.com/2022/09/03/politics/us-government-secrets-what-matters/index.html

While major parties have slept, their voters have been busy packing their bags…
https://spheresofinfluence.ca/the-centre-cannot-hold-voters-turn-left-and-right-as-globe-polarizes-in-a-lynchpin-year-for-democracy/

Americans and Britons once smugly viewed political uprisings, governing meltdowns and self-defeating errors as the eruptions of unstable countries and immature political systems. These leaders mocked experts, declared blood feuds with governing establishments and civil service functionaries and conjured an often mythical vision of past glories with a vow to make their nations great again.

https://edition.cnn.com/2022/10/21/politics/america-britain-politics-truss-trump-analysis/index.html

Paul Sagi December 20, 2024 7:36 AM

When I was staying in a dorm on campus there was a cluster mailbox, the back open to the mailroom, the front of each box (with a combination lock) in the common area (entrance hall).
To open the front of the box it was required to turn a knob back and forth to 3 of the Roman numerals. I think there were 6 or 8 Roman numerals.
I observed people turning the knob back and forth AFTER removing their mail. I asked why, was told they were afraid of forgetting the combination, so they turned to the first 2 of the 3 numbers, then later all they needed to do was twist the knob to the last digit of the combination. Just for fun I chose a few random mailboxes and found a couple of other people had done the same thing.
7 years later, enrolled in a different university for another degree, I chose a couple of panels of mailboxes (total around 30 boxes) that were not within view of the security camera. I twisted their knobs and found that around 20 opened with less than a single turn, i.e. to the last number of the combination.
It seems that people will choose convenience over security.

Wannabe Techguy December 20, 2024 8:30 AM

@ Donald Grimes-I noticed “over fifty years ago” and “no one abused the privilege”. How times have changed.

ResearcherZero December 21, 2024 10:06 PM

Secrecy is Not Security

How can you address security if you cannot discuss it? How can serious failings be rectified? They cannot, as they are currently beyond consideration for public discussion!
Even non-public discussion of matters related to national security may be illegal, including serious criminal matters which would normally be subject to prosecution.

‘https://australiainstitute.org.au/post/secrecy-is-not-security/

It is a crime for individuals, including lawyers and journalists, to intentionally deal with certain information, even if it is not published.
https://www.smh.com.au/politics/federal/australia-s-still-dangerously-secretive-and-it-s-our-democracy-that-s-at-risk-20230911-p5e3o2.html

Because everything is secret and you cannot talk about anything that took place in the last 40 years “One of the things I’ve been struck by is the disconnect between what I’m reading in intelligence and the public conversation about these matters.”

~ Home Affairs Minister Clare O’Neil

‘https://www.abc.net.au/news/2023-02-14/apn-foreign-interference-in-australia/101969988

ResearcherZero December 21, 2024 10:18 PM

Secrecy law affecting journalists ‘perhaps’ unnecessary, ASIO boss says.

‘https://theconversation.com/the-government-agrees-australias-secrecy-laws-need-to-change-now-comes-the-hard-part-taking-action-244823

Even if harm is not intended and does not take place, plenty exists on the books to charge journalists, lawyers and sources with. Attempting to prevent harm may also bring the heat!

https://www.irishtimes.com/news/world/asia-pacific/is-australia-the-world-s-most-secretive-democracy-1.3916771

Anonymous December 22, 2024 10:20 AM

We shouldn’t have master keys at all in the vast majority of cases.

My home/luggage/mailbox is my castle.

Granted, one could argue that the postman
and mail delivery org already has access to your post. But people deliver letters themselves fairly frequently in my experience, so that’s not always the case.

Clive Robinson December 22, 2024 3:46 PM

@ Ian Mason,

With regards,

“Who needs to rob a postal worker?

Only the idiots who could not think and adapt. Simple bribery is safer and can be done through a “cut out”. Prostitutes used to get payed by Hotel theieves to lift keys etc.

As for,

“An impresioning attack would allow one to make a key without ever having had sight or possession of an original key.”

Yup more than half a century ago I taught myself to do that, it’s fairly obvious after you look inside at a few “warded locks” and even an 8 year old can work out what to do with a bit of wood and soft wax from an edam cheese, including the obvious “skeleton key”.

But it was always a lot of effort with “pin and tumbler” locks as you had to “work the pins” one by one and that took time.

There is the obvious “Newton’s Keys” the most obvious is the “bump key” which is all to often fragile.

A new trick on the block is “medical imaging” equipment that “looks through metal” with radiative energy that bounces back from the pins.

This enables a quick scan and quite a bit of work on a computer somewhere else to make a viable “wiggle key”. These have the advantage of looking like a legitimate key unlike most Newton Keys so will get through a stop and search.

But you can also use a “cut matrix” from the lock manufacturer to get “step size” and “allowed cuts” and use this to then 3D print a key…

The sad fact is that mechanical locks “security cost” ratio is way beyond that of electronic locks. The problem, many electronic locks are designed by those who don’t know what they are doing, led by sales and marketing people who know and care even less about security.

Such is the nature of the industry all to often more will be spent on making a cheap Zamak/mazak casting plated up to look like polished stainless steel or brushed brass…

Adam January 4, 2025 5:20 AM

If we are talking about the older style USPS master keys for cluster mail box’s at apartments and condos and also for the door to the lobby/front gate/mail room then that would be the funky looking double sided arrow lock key. Very easy to make. Using a pair of gauze shears, break them apart, each side of the shears is a key blank now, get your dremel, remove the arrow lock from the front door or the outgoing mail box, typically two to four phillips screws holding it in place. Very easy to reverse engineer your own key from there. The lobby door/front gate arrow lock and the outgoing mail box arrow lock are very easy to access and remove unlike the one for the cluster box itself (but they are all the same key). Some outgoing mailbox’s don’t even use screws to affix the lock, just pop the door open to the outgoing mailbox with a flathead (it won’t damage anything if you are careful) and sometimes you can slide the lock up and off. Not every apartment complex or building will have these easy to remove locks but it’s the same key for the entire zip code so you just have to shop around. The older the installation the less secure it will be. Replace the lock where you got it from after you make the key and there you go. You just committed a federal offense that could result in a lengthy prison sentence. Happy now? Due to the ease of making keys and the proliferation of counterfeit keys among criminals, USPS has switched to high security medeco locks moving forward but the roll out has been very slow here in California. Usually they don’t bother unless the route has been getting hit by thieves a lot. Crime doesn’t pay. This info is for info’s sake only.

Clive Robinson January 6, 2025 11:47 AM

@ Adam,

With regards,

“Replace the lock where you got it from after you make the key and there you go. You just committed a federal offense that could result in a lengthy prison sentence. Happy now?”

I was not even nine years old when I started doing this, and all to often I did not have to borrow anything. Because the “Master Key” was hanging in a “break glass” for emergencies thus was clearly on public display.

I’ve mentioned manufacturers key cutting matrix patterns. These are basically an ordered list of cutting heights that are numbered. The numbers make the key “order number” you use for purchasing a replacement key (you will often find the number on a sticker on the box you buy a lock in).

The thing is there are well over a billion pin locks in the US and maybe a few thousand viable cutting hights (as few as a couple of thousand for many lock types).

This means that your front door key could potentially have the same cut heights as tens of thousands of other front door keys.

This just leaves the “keyway profile” as a distinquisher multiplier and there are often only two or four of those…

I’ve actually had a totally innocent “key clash” back in the 1980’s. Knowing what I did on buying my first home, I got fairly rare security locks and went with an earlier version of what is now called the Kaba 20,

https://www.dormakaba.com/gb-en/offering/products/mechanical-key-systems/cylinder-locks-with-reversible-keys/kaba-20–ka_73961

That had flat keys with what I measured with a pin depth gauge as being a quinary code drilled into the surface by the depth of pitting.

Due to the fact such locks are all to often sold in “master key sets” the 700billion combination in the marketing is “over egging the pudding”.

Superficially all the keys lock the same to human eyes… So if you had a number of keys on a key ring you could end up trying them in turn to find the right one. It’s how I found out that one of the five keys I had for home was actually a “cleaners key” for a place I worked at.

Oh don’t believe the marketing nonsense Kaba say about the keys can only be got from them… If you have a decent garage machine shop you can make your own with a vertical milling machine with a two axis adjustable table.

bruce hyman January 15, 2025 4:05 PM

it’s not just mailboxes.
multi-family dwellings in many cities have “Knox boxes” installed for fire department emergency entry – typically, a box is located near the building pedestrian entry and contains a master building key or fob. ALL knoxboxes in an area (typically, a fire department zone, but potentially an entire city) have the same key, kept in each of the fire department vehicles.
if a knoxbox key is compromised, a burglar can open any knoxbox in the region, which means they are in every apartment house without activating an alarm.

Alfred February 26, 2025 5:56 AM

@Clive Robinson

“Oh don’t believe the marketing nonsense Kaba say about the keys can only be got from them…”

Clive, totally agree that mechanical locks are still vulnerable despite digital advances. Even simple raking techniques work on many locks. Surprising how effective these can be:
lockpickwebwinkel.nl/lockpick-set/rake-pick-set/

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.