Shostack + Friends Blog Archive

 

Birthday paradox bites FEMA

Via the SacBee:

WASHINGTON (AP) – FEMA will replace locks on as many as 118,000 trailers used by Gulf Coast hurricane victims after discovering the same key could open many of the mobile homes.
One locksmith cut only 50 different kinds of keys for the trailers sold to FEMA, officials said Monday

The article continues:

That means, in an example of a worst-case scenario, one key could be used to unlock up to 10 mobile homes in a park of 500 trailers.

Uh, no. Actually, worst-case would be one key opens every trailer. Ten is the expected value (assuming randomly distributed locks)
There’s already a single “key” that opens every trailer door. It’s called a hammer. It isn’t clear to me that replacing these lock cylinders is a smart way to spend money.
Would it be unreasonable to ask the users of these trailers to foot the bill for the new lock cylinders themselves? Seems that making this a FEMA-managed task will increase the total cost, and probably delay the fix.
What do others think?

4 comments on "Birthday paradox bites FEMA"

  • Nicko says:

    There’s already a single “key” that opens every trailer door. It’s called a hammer. It isn’t clear to me that replacing these lock cylinders is a smart way to spend money.

    There is a huge difference between someone breaking into your property with a matching key and a break-in with a hammer. In the former case you’ll have a hard time convincing the police and an even harder time convincing your insurance company to pay while in the latter case your task is much easier.
    A cheap, low-grade 5-pin lock has 85=32,000 settings, which means that in a park of 500 homes you’re unlikely to have a match at all, much less find out what it is. With only 50 keys, one in 25 people will have a key that gets into one of their two neighbours’ houses. In that context I would argue that the “security feature” provided on the trailer doors is defective and should be replaced by the supplier.

  • Nicko says:

    Hummm… The comments system seems to strip the ‘sup’ tag from HTML in comments. That’s supposed to read 8 raised to the power 5 = 32,000, not 85=32K!

  • David Brodbeck says:

    This comes up from time to time with cars, too, and always seems to hit the news when it does. At least before electronic anti-theft systems, it wasn’t unheard of for someone to unlock the wrong car in a parking lot and get as far as starting it up before realizing it wasn’t theirs.

  • Iang says:

    It’s just a risk-based question. Asking whether to replace the locks without looking at the overall environment is just normal stupid security talk.
    Far better to ask whether and why it is that 500 camper victims are resorting to stealing from each other by opening each other’s caravans (“trailers” :). Is it really theft? Or are the managers extorting people? Or are teenagers slipping in and out for larks? Or does someone with influence have an agenda? Did the lock company promote this?
    In that, we’d almost certainly discover that replacing the locks will not achieve anything like addressing the underlying question. C.f., Adam’s hammer.

Comments are closed.