A Bic Licks a Lock
It’s not an urban legend: your $1,500 Trek might really have been a goner if a serious cyclist hadn't broadcast the flaw in our most trusted locks.On the evening of September 12, 2004, in a flat located in a Mission district alley, America's best bike locks began a public slide toward becoming U-shaped paperweights.Five months later, many Bay Area bikes languish in storage indefinitely while their owners wait for a more secure solution. Business 2.0 named the fiasco the year's dumbest moment in business. It's hard to find any bike owners who are unaffected, as a product cyclists relied on for years has spiraled from indispensable to disposable.
It began when Chris Brennan, a 25-year-old computer security consultant, went home to lay to rest a preposterous suggestion he'd just heard from an acquaintance at Dolores Park—that his Kryptonite Evolution 2000 U-lock, thought to be one of the most secure on the market, could be jimmied open with a Bic pen.
The skeptical gearhead removed the pen's ink cartridge and jammed the tube-shaped plastic barrel into the similarly shaped lock. After just a few seconds of fiddling, his $50 lock opened. "It was like turning the key," says Brennan.
The ticked-off consumer immediately shot off an email to every address he could find on the Kryptonite website. And then, wanting to let his fellow cyclists know about the flaw, he posted a warning on BikeForums.net, a popular Internet cycling site.
Within two days, Brennan's announcement inspired several short digital films illustrating techniques for pen-picking locks. On September 17, the New York Times announced that "The Pen Is Mightier Than the Lock" and ran the story with a series of photos demonstrating how to pick a Kryptonite U-lock using a pen. Brennan's story ran in the Chronicle two days later.
Fortune magazine estimates that 1.8 million people had read the post by September 19, guided there by blogs and email lists. Brennan was contacted by dozens of national media outlets, and Kryptonite, the most relied-upon maker of tubular-keyed locks, was buried under a deluge of complaints. On September 22, the company announced an exchange program that parent company Ingersoll-Rand estimates will cost $10 million; the program is progressing so slowly that many bike owners are just buying new locks. In the meantime, Kryptonite is trying to get a new product out to its customers, while some are saying the company should have known about the product's shortcomings—or, in fact, did.
Who exactly did know about the vulnerability is up for debate. Some circumstantial evidence indicates that bike thieves were already employing the method. In the months leading up to the Bic trick's moment in the spotlight, there was a 40 percent increase in the number of bikes reported stolen to SFPD compared with the year before—462 between June and September in 2004, compared with 329 for those months in 2003. No one can say for sure that the spike was caused by pen-pickers, but on September 11, the day before Brennan's post, UC Berkeley graduate student Caterina Nerney's $1,400 Jamis road bike was stolen from a bike cage attached to UC Berkeley's Life Sciences Building. The two U-locks Nerney had used had been jimmied but were recovered intact. An employee of Missing Link Bicycle Cooperative, a Berkeley bike shop, says it was the first time she'd seen a Kryptonite Evolution 2000 U-lock defeated by a thief.
It's no surprise that the curtain was pulled back on the Bic trick here in the Bay Area's cycle culture. Forty percent of Bay Area households have bikes, and 1,500 bicyclists cross the Golden Gate Bridge on weekdays, a number that more than doubles on weekends. About 300,000 bike trips are taken each day in the Bay Area, the same number of people who ride BART each weekday.
Kryptonite is a household name in this hot spot for bike theft, especially in San Francisco, where over 1,000 bikes were reported stolen in 2004. Many thefts aren't even reported, and the San Francisco Bicycle Coalition believes the actual number is 10 to 12 bikes a day, or around 4,000 per year. For cyclists, round-keyed U-locks were the gold standard for securing their bikes, the last hope people had for staving off an army of thieves snagging every bike worth stealing on the street. Now that hope's been eliminated, possibly for years.
Many are laying blame on Brennan. His detractors—including Kryptonite—say he created the problem by broadcasting a criminal method. To Brennan's defenders, he was simply helping the bike community stay one step ahead of the thieves.
Chris Brennan is a page out of the hipster playbook—rail thin, with shaggy hair, he lives "car free," riding a customized Bianchi track bike. He has a collection of 524 vinyl records lining the walls of his room, five roommates, two websites, and vaguely anticapitalist politics.
A bike buff before moving here in 2002, Brennan became a zealot after his immersion in San Francisco's bike scene. He got into track bikes: a type of ultralight bike with a fixed gear that can brake only by backpedaling, they're not for novice riders. For a Florida kid who had once started a costumed gang of bikers who called themselves "bike punks," riding with Critical Mass and forcing his way up the San Francisco hills felt like "almost mecca." So when he discovered that the pen trick really worked, it seemed natural to warn his comrades on BikeForums.net.
It wasn't as though Brennan was the first person to disclose the Bic maneuver. Problems with similarly designed round-keyed locks for laptop computers had been reported two weeks earlier on the website Security.org. A British cycling site, BikeBiz.com, found two 1992 articles in U.K. cycling magazines detailing the ease of pen-picking some tubular-keyed locks—but neither mentions Kryptonite by name. Carlos Carujo, who owns the Freewheel Bike Shop, with stores in the Haight and the Mission, says he knew the trick about two weeks before it was publicized. He says he stopped selling the locks but didn't manage to contact Kryptonite. Employees in two other city bike shops reported having heard about the trick from people on the street weeks or even months earlier but dismissed the idea as crazy.
Imagine what might have happened if the story had continued to slowly trickle out: a small group of industrious bike thieves might easily have made off with hundreds of bikes before cyclists got wise.
Once the news broke, many reacted with shock and disbelief. Because the trick didn't work universally—some older locks weren't the right diameter, and some riders found it difficult to do—the information still smacked of urban legend. But once the story appeared in the national media and angry customers began to flock to bike shops, it became impossible to ignore.
At Berkeley's Missing Link, the staff—all of whom used the locks themselves—had taken down their Kryptonite stock the day before the story broke and put up warnings in its place. Within days, other shops took down their Kryptonites. as well.
A few days after the media blitz, Justice Baxter, owner of Wheels of Justice Cyclery in Oakland's Montclair district, saw a guy lashing his bike to a parking meter on College Avenue with a cable lock. Baxter asked if he'd heard about the pen problem, and the biker said he had, vowing never to use his old U-lock again. But his cable lock was too long for the meter—anyone could have easily lifted the bike, slipped the cable off, and walked off with it, not to mention that cable locks can be cut.
"People weren't applying common sense," Baxter says.
Many people who immediately filed for an exchange haven't even heard from Kryptonite yet. The company has sent out postage to exchange 25,000 locks so far and expects to trade in a total of 100,000. It's still taking new requests and won't put a date on when it expects to finish the process. And some lock owners don't realize that they don't have to send back their old lock first in order to get a new one. People who regularly lock up their rides—like the tens of thousands of kids biking to school—are simply purchasing new locks, according to Brandon Street, manager of Mike's Bicycle Center in San Rafael. He is now selling Kryptonite competitor OnGuard, a U-lock that uses flat keys and sells for around $40.
Kryptonite company officials say they learned about the flaw only after the flood of complaints following Brennan's post. They may have to prove that in court, since ten class-action lawsuits have been filed against the company in California alone, one of them bearing Chris Brennan's name as plaintiff. Those lawsuits allege that selling Kryptonite locks vulnerable to pen-picking is a deceptive business practice, and some of the suits—though not Brennan's—accuse the company of knowing about the flaw as far back as 1992, thus defrauding customers. Now the ten law firms handling those cases are coordinating to create one class-action suit. Kryptonite refuses to comment on the suits. For his part, Brennan says all he wants is a lock that actually works.
Does Brennan have any regrets about posting the information to the Internet before Kryptonite could respond to emails?
"At first I did because I thought they were smaller," he says. But when he found out the company was owned by Ingersoll-Rand, he lost sympathy.
"It's information that would have gotten out no matter what," Brennan says. "It was already spreading by word of mouth, to the wrong people. Now the company is only interested in making a profit off of their own mistake."
Joe Mullin is a student at the UC Berkeley Graduate School of Journalism. He lives in Oakland.
It began when Chris Brennan, a 25-year-old computer security consultant, went home to lay to rest a preposterous suggestion he'd just heard from an acquaintance at Dolores Park—that his Kryptonite Evolution 2000 U-lock, thought to be one of the most secure on the market, could be jimmied open with a Bic pen.
The skeptical gearhead removed the pen's ink cartridge and jammed the tube-shaped plastic barrel into the similarly shaped lock. After just a few seconds of fiddling, his $50 lock opened. "It was like turning the key," says Brennan.
The ticked-off consumer immediately shot off an email to every address he could find on the Kryptonite website. And then, wanting to let his fellow cyclists know about the flaw, he posted a warning on BikeForums.net, a popular Internet cycling site.
Within two days, Brennan's announcement inspired several short digital films illustrating techniques for pen-picking locks. On September 17, the New York Times announced that "The Pen Is Mightier Than the Lock" and ran the story with a series of photos demonstrating how to pick a Kryptonite U-lock using a pen. Brennan's story ran in the Chronicle two days later.
Fortune magazine estimates that 1.8 million people had read the post by September 19, guided there by blogs and email lists. Brennan was contacted by dozens of national media outlets, and Kryptonite, the most relied-upon maker of tubular-keyed locks, was buried under a deluge of complaints. On September 22, the company announced an exchange program that parent company Ingersoll-Rand estimates will cost $10 million; the program is progressing so slowly that many bike owners are just buying new locks. In the meantime, Kryptonite is trying to get a new product out to its customers, while some are saying the company should have known about the product's shortcomings—or, in fact, did.
Who exactly did know about the vulnerability is up for debate. Some circumstantial evidence indicates that bike thieves were already employing the method. In the months leading up to the Bic trick's moment in the spotlight, there was a 40 percent increase in the number of bikes reported stolen to SFPD compared with the year before—462 between June and September in 2004, compared with 329 for those months in 2003. No one can say for sure that the spike was caused by pen-pickers, but on September 11, the day before Brennan's post, UC Berkeley graduate student Caterina Nerney's $1,400 Jamis road bike was stolen from a bike cage attached to UC Berkeley's Life Sciences Building. The two U-locks Nerney had used had been jimmied but were recovered intact. An employee of Missing Link Bicycle Cooperative, a Berkeley bike shop, says it was the first time she'd seen a Kryptonite Evolution 2000 U-lock defeated by a thief.
It's no surprise that the curtain was pulled back on the Bic trick here in the Bay Area's cycle culture. Forty percent of Bay Area households have bikes, and 1,500 bicyclists cross the Golden Gate Bridge on weekdays, a number that more than doubles on weekends. About 300,000 bike trips are taken each day in the Bay Area, the same number of people who ride BART each weekday.
Kryptonite is a household name in this hot spot for bike theft, especially in San Francisco, where over 1,000 bikes were reported stolen in 2004. Many thefts aren't even reported, and the San Francisco Bicycle Coalition believes the actual number is 10 to 12 bikes a day, or around 4,000 per year. For cyclists, round-keyed U-locks were the gold standard for securing their bikes, the last hope people had for staving off an army of thieves snagging every bike worth stealing on the street. Now that hope's been eliminated, possibly for years.
Many are laying blame on Brennan. His detractors—including Kryptonite—say he created the problem by broadcasting a criminal method. To Brennan's defenders, he was simply helping the bike community stay one step ahead of the thieves.
Chris Brennan is a page out of the hipster playbook—rail thin, with shaggy hair, he lives "car free," riding a customized Bianchi track bike. He has a collection of 524 vinyl records lining the walls of his room, five roommates, two websites, and vaguely anticapitalist politics.
A bike buff before moving here in 2002, Brennan became a zealot after his immersion in San Francisco's bike scene. He got into track bikes: a type of ultralight bike with a fixed gear that can brake only by backpedaling, they're not for novice riders. For a Florida kid who had once started a costumed gang of bikers who called themselves "bike punks," riding with Critical Mass and forcing his way up the San Francisco hills felt like "almost mecca." So when he discovered that the pen trick really worked, it seemed natural to warn his comrades on BikeForums.net.
It wasn't as though Brennan was the first person to disclose the Bic maneuver. Problems with similarly designed round-keyed locks for laptop computers had been reported two weeks earlier on the website Security.org. A British cycling site, BikeBiz.com, found two 1992 articles in U.K. cycling magazines detailing the ease of pen-picking some tubular-keyed locks—but neither mentions Kryptonite by name. Carlos Carujo, who owns the Freewheel Bike Shop, with stores in the Haight and the Mission, says he knew the trick about two weeks before it was publicized. He says he stopped selling the locks but didn't manage to contact Kryptonite. Employees in two other city bike shops reported having heard about the trick from people on the street weeks or even months earlier but dismissed the idea as crazy.
Imagine what might have happened if the story had continued to slowly trickle out: a small group of industrious bike thieves might easily have made off with hundreds of bikes before cyclists got wise.
Once the news broke, many reacted with shock and disbelief. Because the trick didn't work universally—some older locks weren't the right diameter, and some riders found it difficult to do—the information still smacked of urban legend. But once the story appeared in the national media and angry customers began to flock to bike shops, it became impossible to ignore.
At Berkeley's Missing Link, the staff—all of whom used the locks themselves—had taken down their Kryptonite stock the day before the story broke and put up warnings in its place. Within days, other shops took down their Kryptonites. as well.
A few days after the media blitz, Justice Baxter, owner of Wheels of Justice Cyclery in Oakland's Montclair district, saw a guy lashing his bike to a parking meter on College Avenue with a cable lock. Baxter asked if he'd heard about the pen problem, and the biker said he had, vowing never to use his old U-lock again. But his cable lock was too long for the meter—anyone could have easily lifted the bike, slipped the cable off, and walked off with it, not to mention that cable locks can be cut.
"People weren't applying common sense," Baxter says.
Many people who immediately filed for an exchange haven't even heard from Kryptonite yet. The company has sent out postage to exchange 25,000 locks so far and expects to trade in a total of 100,000. It's still taking new requests and won't put a date on when it expects to finish the process. And some lock owners don't realize that they don't have to send back their old lock first in order to get a new one. People who regularly lock up their rides—like the tens of thousands of kids biking to school—are simply purchasing new locks, according to Brandon Street, manager of Mike's Bicycle Center in San Rafael. He is now selling Kryptonite competitor OnGuard, a U-lock that uses flat keys and sells for around $40.
Kryptonite company officials say they learned about the flaw only after the flood of complaints following Brennan's post. They may have to prove that in court, since ten class-action lawsuits have been filed against the company in California alone, one of them bearing Chris Brennan's name as plaintiff. Those lawsuits allege that selling Kryptonite locks vulnerable to pen-picking is a deceptive business practice, and some of the suits—though not Brennan's—accuse the company of knowing about the flaw as far back as 1992, thus defrauding customers. Now the ten law firms handling those cases are coordinating to create one class-action suit. Kryptonite refuses to comment on the suits. For his part, Brennan says all he wants is a lock that actually works.
Does Brennan have any regrets about posting the information to the Internet before Kryptonite could respond to emails?
"At first I did because I thought they were smaller," he says. But when he found out the company was owned by Ingersoll-Rand, he lost sympathy.
"It's information that would have gotten out no matter what," Brennan says. "It was already spreading by word of mouth, to the wrong people. Now the company is only interested in making a profit off of their own mistake."
Joe Mullin is a student at the UC Berkeley Graduate School of Journalism. He lives in Oakland.
Be the first to post a comment about this story!
You must be logged in to post comments. If you do not have an account, register now!