Steven Grimaud has written to point out Bruce Schneier‘s very nice posting on the heartbreak of global secrets:
Global secrets are generally considered poor security. The problems are twofold. One, you cannot apply any granularity to the security system; someone either knows the secret or does not. And two, global secrets are brittle. They fail badly; if the secret gets out, then the bad guys have a pretty powerful secret.
This is the situation right now in Sydney, where someone stole the master key that gives access to every train in the metropolitan area, and also starts them.
Unfortunately, this isn't a thief who got lucky. It happened twice, and it's possible that the keys were the target:
The keys, each of which could start every train, were taken in separate robberies within hours of each other from the North Shore Line although police believed the thefts were unrelated, a RailCorp spokeswoman said.
The first incident occurred at Gordon station when the driver of an empty train was robbed of the keys by two balaclava-clad men shortly after midnight on Sunday morning.
The second theft took place at Waverton Station on Sunday night when a driver was robbed of a bag, which contained the keys, she said.
So, what can someone do with the master key to the Sydney subway? It's more likely a criminal than a terrorist, but even so it's definitely a serious issue:
A spokesman for RailCorp told the paper it was taking the matter “very seriously,” but would not change the locks on its trains.
Instead, as of Sunday night, it had increased security around its sidings, with more patrols by private security guards and transit officers.
The spokesman said a “range of security measures” meant a train could not be stolen, even with the keys.
I don't know if RailCorp should change the locks. I don't know the risk: whether that “range of security measures” only protects against train theft — an unlikely scenario, if you ask me — or other potential scenarios as well. And I don't know how expensive it would be to change the locks.
Another problem with global secrets is that it's expensive to recover from a security failure.
And this certainly isn't the first time a master key fell into the wrong hands:
Mr Graham said there was no point changing any of the metropolitan railway key locks.
“We could change locks once a week but I don't think it reduces in any way the security threat as such because there are 2000 of these particular keys on issue to operational staff across the network and that is always going to be, I think, an issue.”
A final problem with global secrets is that it's simply too easy to lose control of them.
Moral: Don't rely on global secrets.
[tags: Global Secrets, Bruce Schneier]
