Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Lax TSA Website Exposed Travelers' Information

Posted by kdawson on Sun Jan 13, 2008 02:39 PM
from the speaking-truth-to-stupidity dept.
Security
sjbe sends in an old story with a poetic justice ending. Almost a year ago Chris Soghoian blogged about multiple security holes exposing visitors to a TSA site to possible identity theft. Wired and others picked up the story and the TSA took down the insecure site and fixed the problems. On Friday the US House of Representatives Committee on Oversight and Government Reform released a report (PDF; HTML summary) finding that the TSA contractor, Desyne Web Services, had received a no-bid contract for the faulty site from a former employee who was then a TSA project manager. TSA has taken no action to sanction the responsible parties for the vulnerabilities. The poetic justice is that Soghoian had been investigated for 6 months by the FBI and TSA because he pointed out a vulnerability in the US air transport system; no charges were ever filed.
+ -
story

Related Stories

[+] News: FBI Raids Security Researcher's Home 516 comments
Sparr0 writes, "The FBI has raided the home of Christopher Soghoian, the grad student who created the NWA boarding pass site. Details can be found on his blog including a scanned copy of the warrant. The bad news is that he really did break the law. The good news is that Senator Charles Schumer did it first, 19 months ago, on an official government website no less. The outcome of this trial should be at least academically interesting. At best, it could result in nullifying some portion of the law(s) that the TSA operates under." Read on for Sparr0's take on what laws may apply in this case.
[+] TSA Now Investigating Boarding Pass Hacker 270 comments
An anonymous reader writes "A week after the Justice Department cleared him of any wrongdoing, Chris Soghoian, the Indiana University PhD student who created an online boarding pass generator for Northwest Airlines to highlight security holes is on the government's 'no-fly' list. The Transportation Security Administration has now launched its own investigation, says Wired blog 27strokeB. The TSA is claiming that Soghoian 'attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations,' violations of which carry fines of up to $11,000 per violation. That could be a steep fine, says Washingtonpost.com's Security Fix blog: 'Something like 35,000 people viewed and possibly used the boarding pass generator during the less than 72 hours that it was live on his site in November. Soghoian told WaPo: "If they decide that the only safe way for me to leave the country is by boat, then that's pretty much the end of my career here in the States. It's one thing to harass researchers, but if they can chase them out of the country, then that's a real chilling effect."'"
Submission: Lax TSA Website Exposes Traveller's Information by sjbe (173966)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Lax TSA Website Exposed Travelers' Information 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Like most security theater in this country ... (Score:3, Funny)

    by ScrewMaster (602015) on Sunday January 13 2008, @02:41PM (#22027330)
    Lax TSA Website Exposed Travelers' Information

    "Lax" describes it pretty well.

  • Another concrete example (Score:4, Interesting)

    by $RANDOMLUSER (804576) on Sunday January 13 2008, @02:45PM (#22027358)
    Of why DHS is out front and pulling away in the "Scariest Agency" poll.

  • What I want to know is ... (Score:5, Interesting)

    by ScrewMaster (602015) on Sunday January 13 2008, @02:47PM (#22027372)
    Why do we keep penalizing those individuals who have the fortitude to stand up and point out security issues, and then let those responsible for said flaws get away clean? Sounds like a decidedly bass-ackward approach to me, designed more to prevent public awareness of corporate and governmental malfeasance than anything else.

    Nobody wants their dirty laundry aired, I understand, but attacking people that expose such egregious errors does nothing to improve matters. I mean, if I say publicly that "your Web site has x security flaws in it" and it turns out I'm lying, fine, sue me for libel or slander or whatever else. Or better yet, just ignore me. But if I make you aware of a serious problem and you do nothing but try to intimidate me into silence, you're obviously trying to cover your ass, and should be fired for incompetence.
    • RE:["Why do we keep penalizing those individuals who have the fortitude to stand up and point out security issues, and then let those responsible for said flaws get away clean?"]

      this is nothing new, this has been going on for a loooonngg time, i suggest reporting it anonymously and publicly let everyone know including the IT responsible for locking down the system then just sit back and watch...

      • Re: (Score:3, Insightful)

        by galego (110613)
        Previous poster (parent) has a point though .. and I think it is .... unless you're absolutely confident of your 'anonymity' in reporting, then you are highly likely to become suspect. Your story is at least going to be checked out. If it's not on, then someone may sick their lawyer on you for slander/libel. I sat down at a courtesy kiosk at an auto dealer once to find a guy still logged into his Yahoo mail had walked away. I sent him a mail from himself and did not put my name in it, suggesting he ensur

    • Re:What I want to know is ... (Score:4, Insightful)

      by loraksus (171574) on Sunday January 13 2008, @03:56PM (#22027888) Homepage
      Because extremely expensive, no bid, just plain dishonest contracts to incompetents is how a great deal of the US government has work done.

      If private sector employees acted like this, they'd be fired for incompetence, the relationship with the incompetent 3rd party would be terminated fairly quickly, pressure would be put on the local district attorney to file fraud and conspiracy criminal charges if there was collusion and a whole lot less money would be spent before it all went away.

      In the case of government employees, it's just status quo. Move alone, nothing to see here.

      • Re:What I want to know is ... (Score:4, Informative)

        by sumdumass (711423) on Sunday January 13 2008, @05:52PM (#22028848) Journal
        How do you know they are expensive or dishonest? A no bid contract doesn't imply either automatically.

      • Re:What I want to know is ... (Score:4, Insightful)

        by ardent99 (1087547) on Sunday January 13 2008, @06:12PM (#22029040)
        Well, yes and no. Yes, the cynical me says lots of government contracts probably do get done this way even though they aren't supposed to. But at least the government has policies and laws that say they aren't supposed to work this way, and I bet the *majority* is still done honestly (I hope).

        But private companies are under no obligation to be fair in who they buy from. There are no laws that say a company must buy from the best, or cheapest, or whatever. They just pick who they feel like working with and that's it. If they want to buy work from their buddy then they do it. That's not fraud or conspiracy or collusion. It's not even secret or embarrassing. That's what business is all about, they just call it "networking" whereas in the government they call it "cronyism".

        Public companies at least have some obligation to shareholders to be fiscally responsible, but for the most part dealing with this kind of issue doesn't get raised to the level of the board of directors unless it dramatically affects the quarterly results, so the management is free to do whatever it wants anyway. CEOs in the private sector are cowboys and apparently as a country we like it that way, evidenced by the fact that so many people these days balk at regulation.

        So, no, this would not be better in the private sector. In fact, it is the status quo in the private sector which is why it is rarely news. It is not status quo in the government, or at least it shouldn't be, which is why we get so upset when it happens there. We expect the government to serve the people, and we want it to. We don't expect the private sector to serve the people we expect it to serve the company owners, and it does.

        The real story here is that cronyism has spread like a cancer into many areas of government, and this item in particular shows how the very forces that are claiming to enhance our national security are actually sabotaging it. The answer isn't to leave it to the private sector and let the cancer win, the answer is to kill the cancer before it kills us.

        • Re:What I want to know is ... (Score:4, Insightful)

          by Hognoxious (631665) on Monday January 14 2008, @05:24AM (#22032776) Homepage Journal

          There are no laws that say a company must buy from the best, or cheapest, or whatever.
          It's often stated on this site that corporations (or the managers of them) have a legal duty to maximise shareholder value. Buying the stuff at twice the market price from the CFO's cousin's company doesn't seem to be in compliance with that.

    • Re: (Score:3, Interesting)

      by couchslug (175151)
      "Why do we keep penalizing those individuals who have the fortitude to stand up and point out security issues, and then let those responsible for said flaws get away clean? "

      In order to teach whistleblowers that the best way to point out security issues is to post the 'sploit anonymously and watch the enemy agency get hammered. It is obvious that these government agencies resent attempts to "help" them and will attack those who try. Stop Trying.

    • Why do we keep penalizing those individuals who have the fortitude to stand up and point out security issues, and then let those responsible for said flaws get away clean?

      Why do you post your opinion as a question?

      Sounds like [it's] ... designed more to prevent public awareness of corporate and governmental malfeasance than anything else.

      • Re: (Score:3, Insightful)

        by ScrewMaster (602015)
        So the entire US government and all of it's agencies are fired, what exactly is that going to fix :P

        Well, at least we won't have to worry about the encroaching loss of civil liberties ... there'll be no-one left to take them.

        Of course, it would be a good idea for everyone to have a few guns and plenty of ammo: anarchy can be unpleasant.

      • Re:What I want to know is ... (Score:5, Interesting)

        by ScrewMaster (602015) on Sunday January 13 2008, @03:57PM (#22027898)
        True, but that's not what I mean. I'm talking about someone who is already an outsider discovering a problem. That's what this article is about: someone who found something and reported it, and was then attacked for it. This has been going on for some time. Generally speaking, if you find a problem with a corporation or government agency's Internet presence, you're better off keeping it to yourself. That's because odds are the people administering that resource don't really care about security, and are more interested in covering their asses at your expense.

        It's a much better move, careerwise, for a network admin to say "some guy was trying to hack our system, and being the network guru that I am I got his name and number", rather than admit that "some guy found a major hole in our security system, and kindly reported to us."

        There have been numerous cases of Good Samaritan types reporting an insecurity on a Web site, and having the sysadmins call up the FBI and report a "hacking attempt." Over the past several years I've been on misconfigured Web sites and FTP servers that gave me access to things I should never have been allowed to see. My normal instinct would be to report the problem to the site's administrators ... but I wouldn't take the chance, not anymore. I have no interest in having the Feds knock at my door and arrest me on some bogus antiterrorism charge. If I see anything I don't think was meant to be public, I immediately get out and never go back.

        This is not the same thing as being a whistleblower, which is what you're referring to. See, someone who is truly interested in securing a system would investigate such reports, from any source internal or external, and fix them. What we've been seeing is that it's more important to simply squelch such complaints at any cost, rather take the heat for one's mistakes. Worse, given the current legal situation in the U.S. a corporation that files a false hacking report can screw somebody up for life.

        That's where I draw the line.
        • A couple of years ago I was in San Francisco. I needed to check my email and there was an open access point. After checking mail, I checked "My Network Places". Their ENTIRE network was a big file share and it was WIDE OPEN! This was a medical facility and there were hundreds of patient records right there. I got out of there as fast as I couod and never went near there again! With the "shoot the messinger" attitude out there these days, who in their right mind wants to be the messinger?
          • Scary all right. I know that I went in for a checkup last week, and my doctor and the other personnel carried compact notebook machines with wireless links, so they could conveniently access their records database. Very cool, very efficient ... but I had to wonder just whether they'd taken the right steps to secure that network. Kinda made me want to take my own machine and do a little checking up on their WAP configuration, but I decided it wasn't worth the risk. That's even scarier, when you get right dow
  • Even as we are faced with incident after incident of our government failing to safeguard information, we do nothing as they collect more of it claiming they can be trusted to safeguard it.

    Real ID is going to be a nightmare.

    • Re:Even as we are faced with incident after incide (Score:5, Insightful)

      by ScrewMaster (602015) on Sunday January 13 2008, @02:57PM (#22027468)
      Real ID is going to be a nightmare.

      If that's what it takes. Remember the FBI under Hoover? Did all kinds of abusive stuff, until it finally reached the point where Congress had to rein them in and enact strict controls on their behavior, mainly because Congress itself was threatened by Hoover's activities. Hell, the bastard had dirt on all of them. However, many of those restrictions on law enforcement were undone with the Patriot Act, CALEA and other poorly-designed laws designed to strip civil liberties from us. I have the feeling that we're going to have to suffer through yet another cycle of government abuse (worse this time) until the pendulum swings back and some controls get put back in place.

      If we're that lucky. I have my doubts about this go 'round ... we may be in for the long haul.
      • I think you *precisely* correct in referring to the whole system as a pendulum. And, as you said, it's swinging further each time. What I fear--and, honestly, look forward to--is when that pendulum begins to swing so wildly and out of control that the entire system tears itself apart. Anyone who believes deep down that we can fix this system without a revolution is living in a fantasy world. There will come a time in the very near future when our country will undergo an actual, honest-to-god revolution, pos

        • Re: (Score:3, Informative)

          by pete6677 (681676)
          If we have a true revolution, you should be hoping you'll be lucky enough to live through it. Be careful what you wish for. There really could be worse governments than the U.S. led by Republicans. If you doubt me, just ask anyone who grew up as a subject under Stalin.

        • Re:Even as we are faced with incident after incide (Score:5, Insightful)

          by ScrewMaster (602015) on Sunday January 13 2008, @06:56PM (#22029370)
          I think you *precisely* correct in referring to the whole system as a pendulum.

          As an engineer, upon further reflection I think that a more apt description would be "running open loop". If you look at the U.S. Constitution, you'll realize that the so-called "checks-and-balances" put in place by the Founders, indeed the underpinnings of our entire Republic, are nothing but a series of carefully crafted negative feedback loops. The intent of those mechanisms was, of course, to prevent the government from going too far in one direction. The most basic of those is the fact that we can elect our leaders: the governments actions are processed by the population and fed back to the input as votes. Another loop was the original tariff system. It is complicated, but it worked for a long, long time, and had our elected leaders not fiddled with it continuously, would still be working now.

          The problem is that Congress, with its fundamental incompetence and endless quest for votes, has opened most of those loops and the proper amount of negative feedback is no longer being applied to the system inputs. In fact, there's generally no negative feedback whatsoever: it's all going the other way. That's placed us in a swell of uncontrolled positive feedback which will eventually reach the maximum tolerance of the system.

          In electronic terms, that usually means your output is locked to within a few millivolts of your positive supply voltage. In civil terms, it means a revolution is about to start.

          • while i don't disagree that our government leadership is incompetent, i think that the blame isn't solely on politicians. we did at one point live in a free and democratic society. a large part of the blame therefor rests on the the public. we have developed a culture of apathy, and as such no revolution could ever take place.

            the reason for public apathy is two folds. firstly, the bipartisan system that our democracy has evolved into is inherently broken. but more importantly the 4th estate has failed to u

      • Remember the FBI under Hoover?

        No. And that's a big problem.
        The generation which experienced stuff like that is rapidly passing into senility or worse.
      • The problem is that Congress is so damned spineless to begin with. The REAL ID act was passed in 2005, not after any discussion, debate, or vote, but only because it was slipped into a major spending bill by some self-serving Republican coward from Wisconsin. There wasn't even an effort to nullify it once it was discovered that it had passed - EVEN AFTER 17 states and a majority of Americans have voiced their opposition to it. It's about time Congress did its job already.
        • Congress is doing its job already: Crating jobs and boosting the economy.

          After all you and i don't pay the cost of re-election campaigning.
          It is done by corporates, who will stand to benefit from Real ID act.

          Imagine the cost of contracting out large quantities of safeboard, ink, printing presses, plastic, computer systems to maintain, training, emergency services (someone enters his hand into a press), laser printers, etc.

          And now imagine how much employment is generated when these people are needed for abov
      • If that's what it takes. Remember the FBI under Hoover? Did all kinds of abusive stuff, until it finally reached the point where Congress had to rein them in and enact strict controls on their behavior, mainly because Congress itself was threatened by Hoover's activities. Hell, the bastard had dirt on all of them. However, many of those restrictions on law enforcement were undone with the Patriot Act, CALEA and other poorly-designed laws designed to strip civil liberties from us. I have the feeling that we'
    • Real ID is going to be a nightmare.

      I think the opposite is true. This TSA site is needed at all because right now it's hard to prove that you're not on the list of bad guys. If you carry biometrically secure identification and have a unique identifier, that becomes much easier. A lot of the intrusions into our civil liberties and the lack of privacy are a result of not having good identifiers.

      In any case, the private sector is already going this route anyway with identification like the Clear card.
      • I think the opposite is true. This TSA site is needed at all because right now it's hard to prove that you're not on the list of bad guys. If you carry biometrically secure identification and have a unique identifier, that becomes much easier.

        Thing is that outside of fiction such things simply do not exist. Any actual ID card scheme will at best be only as secure as current systems.

        A lot of the intrusions into our civil liberties and the lack of privacy are a result of not having good identifiers.

        Actu
  • I do not think those words mean what you think they mean.

    • Summary:
      "The poetic justice is that Soghoian had been investigated for 6 months by the FBI and TSA because he pointed out a vulnerability in the US air transport system; no charges were ever filed."

      TFA:
      "I'd be lying if I said that I wasn't grinning from ear to ear with the news of this report.
      It's poetic justice, if you will, for the unpleasantness that TSA put me through."

      IN TFA it isn't really "poetic justice" either. It's just "justice", lacking any of the irony necessary to make it "poetic". But makes a

  • Summary misses the point entirely (Score:5, Informative)

    by SpinyNorman (33776) on Sunday January 13 2008, @02:59PM (#22027474)
    The poetic justice is not that Soghoian (who exposed the vulnerability) was investigated by the FBI and TSA, but rather the exact opposite, that having been investigated by the FBI/TSA he was vindicated by the scathing congressional report agreeing with him. At least that's an accurate summary, although still a bit illogical since the FBI investigation was for a different issue altogether - him blogging about how to create fake boarding passes which doesn't seem the smartest thing to do if you are really concerned about security.
    • I'm glad someone else mentioned that (and got modded up for it). I can't stand summaries that completely mangle the point of the story. And yet Taco et al just keep on shoveling them through...

    • Re: (Score:2, Interesting)

      by pipoca (1142297)
      I'd not consider the whole fake boarding pass thing a threat to security (or rather, Soghoian's blogging about it) because anyone with an average IQ and a bit of time could think up of it (they check the veracity of the boarding pass and the fact that you have ID and a boarding pass separately. Is making a fake pass to go along with your ID that difficult an idea?!?). Posting about it is good because it forces the TSA to close a rather obvious exploit. Given that they ostensibly want security, the intel
    • him blogging about how to create fake boarding passes which doesn't seem the smartest thing to do if you are really concerned about security.

      So first you praise him for exposing one security vulnerability, but damn him from exposing another? Why should he keep quiet when it's obvious how to create a fake boarding card?
  • That's the last time I fly through Los Angeles then.

  • ..."no charges were ever filed." (Score:3, Interesting)

    by iminplaya (723125) <iminplaya.gmail@com> on Sunday January 13 2008, @03:09PM (#22027560) Journal
    Yet. Doesn't mean they can't be some time in the future. And this investigation...or scathing congressional report? What will come of it? Will fines be paid? Jail time served? I've seen very little come from "scathing congressional reports" in the past. Will this one be any different? I would think not. Will any of this bring about a demand for freedom of movement without undue harassment? Will we finally vote for politicians who mention the word "freedom" at all? All the numbers indicate otherwise.

    Nixon's the one [rvv.com].
  • Does anyone know a phone number, an office, etc that we can call to complain about the TSA?

  • TSA = Toothpaste Security Agency (Score:4, Insightful)

    by Anonymous Coward on Sunday January 13 2008, @06:03PM (#22028960)
    Why did the terrorists succeed on September 11, 2001? Conventional wisdom says the terrorists exploited a weakness in airport security by smuggling aboard box-cutters. What they actually exploited was a weakness in our mindset -- Crews were for years trained in the concept of "passive resistance." Everyone acted calm, and the crisis resolved with no loss of life. All of that changed when the first plane hit the north tower. What weapons the 19 men possessed mattered little, but it would never work again: Anyone pulling out a box cuter today would be dragged down by passengers.

    Yet today the DHS and TSA are still focused on the box cuters. Patrick Smith of the New York Times points out just how pointless the TSA searches have become. Why for example do they confiscate tubes of toothpaste or shampoo bottles potentially containing explosive materials, only to throw them out in the trash unchecked? Why do cleaners and garbage workers handle these supposedly dangerous contraband unprotected? The ban on fluids itself flies in the face of scientific opinion: "The notion that deadly explosives can be cooked up in an airplane lavatory is pure fiction."

    http://jetlagged.blogs.nytimes.com/2007/12/28/the-airport-security-follies/index.html [nytimes.com]

    • Re: (Score:3, Insightful)

      by WK2 (1072560)

      Why for example do they confiscate tubes of toothpaste or shampoo bottles potentially containing explosive materials, only to throw them out in the trash unchecked? Why do cleaners and garbage workers handle these supposedly dangerous contraband unprotected?

      Every promotion at the TSA requires that you get beaten in the head. The people who you see on the floor doing menial labor have not yet been beaten in the head. They know that there is nothing to fear from toothpaste.

    • Why for example do they confiscate tubes of toothpaste or shampoo bottles potentially containing explosive materials, only to throw them out in the trash unchecked? Why do cleaners and garbage workers handle these supposedly dangerous contraband unprotected?

      Remember the story they made up for that one: the tubes contain components of liquid explosives, which would have been mixed in the lavatory to make the explosives. The tubes don't contain explosives themselves.

      Of course, the story's bogus, because t

    • Why for example do they confiscate tubes of toothpaste or shampoo bottles potentially containing explosive materials, only to throw them out in the trash unchecked?

      OK, I here this meme all the time and it's finally annoyed me to post something. It's a preventative measure. A terrorist going to an airport wouldn't be able to easily take in liquid explosives (or otherwise nasty liquid chemicals) by stuffing them into toothpaste tube or shampoo bottle. Checking ALL the confiscated items would be prohibitivel

  • Does anyone remember the story of "The Emperor's New Clothes"? This is a story as old as time, only the names have changed. More of a continuing observation on human (mis)behavior, than anything else.

    DHS and the TSA were never meant to actually prevent harm to any citizen, but rather as a transfer of power from the citizen to the government. In that context, the ineptitude, mismanagement, harassment, failures, and the 'kill the messenger' attitude, begin to make a kind of sense. Much as any despotic entit

  • representatives (Score:4, Insightful)

    by nguy (1207026) on Sunday January 13 2008, @08:47PM (#22030194)
    Complain to your elected representatives with a short, politely worded letter. That's the most likely to get these practices stopped.

    • Re: (Score:3, Interesting)

      by Snorpus (566772)
      Yeah.... Poetic justice would be if the contractor who did such a poor job found his own personal details posted all over the 'net, because of holes in his own system.

      • ya, poetic justice would also be if kdawson were an english major in college right now, and got kicked out of school for inappropriate use of the phrase "poetic justice".

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.