Lax TSA Website Exposed Travelers' Information

sjbe sends in an old story with a poetic justice ending. Almost a year ago Chris Soghoian blogged about multiple security holes exposing visitors to a TSA site to possible identity theft. Wired and others picked up the story and the TSA took down the insecure site and fixed the problems. On Friday the US House of Representatives Committee on Oversight and Government Reform released a report (PDF; HTML summary) finding that the TSA contractor, Desyne Web Services, had received a no-bid contract for the faulty site from a former employee who was then a TSA project manager. TSA has taken no action to sanction the responsible parties for the vulnerabilities. The poetic justice is that Soghoian had been investigated for 6 months by the FBI and TSA because he pointed out a vulnerability in the US air transport system; no charges were ever filed.

Like most security theater in this country ...

[ScrewMaster]

Lax TSA Website Exposed Travelers' Information

"Lax" describes it pretty well.

Re:Like most security theater in this country ...

[Kelz]

Did they mean "lax" as in "Loose and not easily retained or controlled." or LAX as in the airport?

Re:Like most security theater in this country ...

[ScrewMaster]

Did they mean "lax" as in "Loose and not easily retained or controlled." or LAX as in the airport?

Well, I've been through Los Angeles Airport a couple of times recently. I'd say either appellation is apt.

Re:

[uberCHIEFTAIN!]

Did they mean "apt" as in "Unusually intelligent and able to learn quickly and easily." or APT as in the airport (Marion County Airport)?

Re:

[ScrewMaster]

Actually, I think they meant apt as described in the John Carter of Mars novels by Edgar Rice Burroughs. His "Apts" (e.g., giant white four-armed apes) come pretty close to describing some of the TSA security people I've encountered.

Another concrete example

[$RANDOMLUSER]

Of why DHS is out front and pulling away in the "Scariest Agency" poll.

What I want to know is ...

[ScrewMaster]

Why do we keep penalizing those individuals who have the fortitude to stand up and point out security issues, and then let those responsible for said flaws get away clean? Sounds like a decidedly bass-ackward approach to me, designed more to prevent public awareness of corporate and governmental malfeasance than anything else.

Nobody wants their dirty laundry aired, I understand, but attacking people that expose such egregious errors does nothing to improve matters. I mean, if I say publicly that "your Web site has x security flaws in it" and it turns out I'm lying, fine, sue me for libel or slander or whatever else. Or better yet, just ignore me. But if I make you aware of a serious problem and you do nothing but try to intimidate me into silence, you're obviously trying to cover your ass, and should be fired for incompetence.

Re:

[ScrewMaster]

So the entire US government and all of it's agencies are fired, what exactly is that going to fix :P

Well, at least we won't have to worry about the encroaching loss of civil liberties ... there'll be no-one left to take them.

Of course, it would be a good idea for everyone to have a few guns and plenty of ammo: anarchy can be unpleasant.

Re:

[Anonymous Coward]

Fairly basic psychology actually. By going to an outside agency to complain about your own organization you are betraying it. Your motives may be pure, and the outcome may be a public good (or even a good for your organization), but you can't expect to be *liked* for it.

Nobody likes a snitch. Expecting anything else is willful ignorance.

Re:What I want to know is ...

[ScrewMaster]

True, but that's not what I mean. I'm talking about someone who is already an outsider discovering a problem. That's what this article is about: someone who found something and reported it, and was then attacked for it. This has been going on for some time. Generally speaking, if you find a problem with a corporation or government agency's Internet presence, you're better off keeping it to yourself. That's because odds are the people administering that resource don't really care about security, and are more interested in covering their asses at your expense.

It's a much better move, careerwise, for a network admin to say "some guy was trying to hack our system, and being the network guru that I am I got his name and number", rather than admit that "some guy found a major hole in our security system, and kindly reported to us."

There have been numerous cases of Good Samaritan types reporting an insecurity on a Web site, and having the sysadmins call up the FBI and report a "hacking attempt." Over the past several years I've been on misconfigured Web sites and FTP servers that gave me access to things I should never have been allowed to see. My normal instinct would be to report the problem to the site's administrators ... but I wouldn't take the chance, not anymore. I have no interest in having the Feds knock at my door and arrest me on some bogus antiterrorism charge. If I see anything I don't think was meant to be public, I immediately get out and never go back.

This is not the same thing as being a whistleblower, which is what you're referring to. See, someone who is truly interested in securing a system would investigate such reports, from any source internal or external, and fix them. What we've been seeing is that it's more important to simply squelch such complaints at any cost, rather take the heat for one's mistakes. Worse, given the current legal situation in the U.S. a corporation that files a false hacking report can screw somebody up for life.

That's where I draw the line.

I agree..

[Newer Guy]

A couple of years ago I was in San Francisco. I needed to check my email and there was an open access point. After checking mail, I checked "My Network Places". Their ENTIRE network was a big file share and it was WIDE OPEN! This was a medical facility and there were hundreds of patient records right there. I got out of there as fast as I couod and never went near there again! With the "shoot the messinger" attitude out there these days, who in their right mind wants to be the messinger?

Re:

[ScrewMaster]

Scary all right. I know that I went in for a checkup last week, and my doctor and the other personnel carried compact notebook machines with wireless links, so they could conveniently access their records database. Very cool, very efficient ... but I had to wonder just whether they'd taken the right steps to secure that network. Kinda made me want to take my own machine and do a little checking up on their WAP configuration, but I decided it wasn't worth the risk. That's even scarier, when you get right dow

Re:

[The_Laughing_God]

HIPAA is very strict about medical information, compared to the rest of IT. I've seen people fired for "three strikes" -- three emails were sent to patients with excessive/disallowed information. I don't recall the exact details, but the release was "excessive" because it contained a combination of common identifiers, such as the patient's full name, not because of the info itself.

It's one area where you can report the problem directly to an enforcing agency and heads will roll, rather than reporting it to

Re:

[FudRucker]

RE:["Why do we keep penalizing those individuals who have the fortitude to stand up and point out security issues, and then let those responsible for said flaws get away clean?"]

this is nothing new, this has been going on for a loooonngg time, i suggest reporting it anonymously and publicly let everyone know including the IT responsible for locking down the system then just sit back and watch...

Re:

[galego]

Previous poster (parent) has a point though .. and I think it is .... unless you're absolutely confident of your 'anonymity' in reporting, then you are highly likely to become suspect. Your story is at least going to be checked out. If it's not on, then someone may sick their lawyer on you for slander/libel. I sat down at a courtesy kiosk at an auto dealer once to find a guy still logged into his Yahoo mail had walked away. I sent him a mail from himself and did not put my name in it, suggesting he ensur

Re:What I want to know is ...

[loraksus]

Because extremely expensive, no bid, just plain dishonest contracts to incompetents is how a great deal of the US government has work done.

If private sector employees acted like this, they'd be fired for incompetence, the relationship with the incompetent 3rd party would be terminated fairly quickly, pressure would be put on the local district attorney to file fraud and conspiracy criminal charges if there was collusion and a whole lot less money would be spent before it all went away.

In the case of government employees, it's just status quo. Move alone, nothing to see here.

Re:What I want to know is ...

[sumdumass]

How do you know they are expensive or dishonest? A no bid contract doesn't imply either automatically.

Re:What I want to know is ...

[ardent99]

Well, yes and no. Yes, the cynical me says lots of government contracts probably do get done this way even though they aren't supposed to. But at least the government has policies and laws that say they aren't supposed to work this way, and I bet the *majority* is still done honestly (I hope).

But private companies are under no obligation to be fair in who they buy from. There are no laws that say a company must buy from the best, or cheapest, or whatever. They just pick who they feel like working with and that's it. If they want to buy work from their buddy then they do it. That's not fraud or conspiracy or collusion. It's not even secret or embarrassing. That's what business is all about, they just call it "networking" whereas in the government they call it "cronyism".

Public companies at least have some obligation to shareholders to be fiscally responsible, but for the most part dealing with this kind of issue doesn't get raised to the level of the board of directors unless it dramatically affects the quarterly results, so the management is free to do whatever it wants anyway. CEOs in the private sector are cowboys and apparently as a country we like it that way, evidenced by the fact that so many people these days balk at regulation.

So, no, this would not be better in the private sector. In fact, it is the status quo in the private sector which is why it is rarely news. It is not status quo in the government, or at least it shouldn't be, which is why we get so upset when it happens there. We expect the government to serve the people, and we want it to. We don't expect the private sector to serve the people we expect it to serve the company owners, and it does.

The real story here is that cronyism has spread like a cancer into many areas of government, and this item in particular shows how the very forces that are claiming to enhance our national security are actually sabotaging it. The answer isn't to leave it to the private sector and let the cancer win, the answer is to kill the cancer before it kills us.

Re:What I want to know is ...

[Hognoxious]

There are no laws that say a company must buy from the best, or cheapest, or whatever.

It's often stated on this site that corporations (or the managers of them) have a legal duty to maximise shareholder value. Buying the stuff at twice the market price from the CFO's cousin's company doesn't seem to be in compliance with that.

Re:

[ardent99]

There is a huge difference between high level goals and the details of operating decisions. Companies make all kinds of decisions, some of which lose money and some of which make money. There is nothing that says a company can't spend too much on pencils, or pay too much for a web site from the CFO's cousin. In a typical company, how many purchase order decisions are made by putting out requests for bids? In most companies none. It is up to the management to decide what something is worth to the company

Re:

[couchslug]

"Why do we keep penalizing those individuals who have the fortitude to stand up and point out security issues, and then let those responsible for said flaws get away clean? "

In order to teach whistleblowers that the best way to point out security issues is to post the 'sploit anonymously and watch the enemy agency get hammered. It is obvious that these government agencies resent attempts to "help" them and will attack those who try. Stop Trying.

Re:

[WK2]

Why do we keep penalizing those individuals who have the fortitude to stand up and point out security issues, and then let those responsible for said flaws get away clean?

Why do you post your opinion as a question?

Sounds like [it's] ... designed more to prevent public awareness of corporate and governmental malfeasance than anything else.

Re:

[ScrewMaster]

Because that way other people are invited to comment upon it.

Re:

[Snorpus]

Yeah.... Poetic justice would be if the contractor who did such a poor job found his own personal details posted all over the 'net, because of holes in his own system.

Re:

[zojas]

ya, poetic justice would also be if kdawson were an english major in college right now, and got kicked out of school for inappropriate use of the phrase "poetic justice".

Even as we are faced with incident after incident.

[riseoftheindividual]

Even as we are faced with incident after incident of our government failing to safeguard information, we do nothing as they collect more of it claiming they can be trusted to safeguard it.

Real ID is going to be a nightmare.

Re:Even as we are faced with incident after incide

[ScrewMaster]

Real ID is going to be a nightmare.

If that's what it takes. Remember the FBI under Hoover? Did all kinds of abusive stuff, until it finally reached the point where Congress had to rein them in and enact strict controls on their behavior, mainly because Congress itself was threatened by Hoover's activities. Hell, the bastard had dirt on all of them. However, many of those restrictions on law enforcement were undone with the Patriot Act, CALEA and other poorly-designed laws designed to strip civil liberties from us. I have the feeling that we're going to have to suffer through yet another cycle of government abuse (worse this time) until the pendulum swings back and some controls get put back in place.

If we're that lucky. I have my doubts about this go 'round ... we may be in for the long haul.

Re:

[Ambiguous Coward]

I think you *precisely* correct in referring to the whole system as a pendulum. And, as you said, it's swinging further each time. What I fear--and, honestly, look forward to--is when that pendulum begins to swing so wildly and out of control that the entire system tears itself apart. Anyone who believes deep down that we can fix this system without a revolution is living in a fantasy world. There will come a time in the very near future when our country will undergo an actual, honest-to-god revolution, pos

Re:

[pete6677]

If we have a true revolution, you should be hoping you'll be lucky enough to live through it. Be careful what you wish for. There really could be worse governments than the U.S. led by Republicans. If you doubt me, just ask anyone who grew up as a subject under Stalin.

Re:

[Ambiguous Coward]

I'm sorry, but the only valid response to this is: "What the FUCK?"

I'm sorry, since when did the existence of a worse system make this system okay? There is *always* a worse system. That does not justify this one. I don't want to be personal, but your statement is pitiful, apologetic garbage. I don't care who runs the US government. Republicans, Democrats, it doesn't matter. THEY ARE ALL OUT OF CONTROL.

I *do* want a revolution. It is absolutely necessary at this point. Yes, a lot of us may not live through

Re:Even as we are faced with incident after incide

[ScrewMaster]

I think you *precisely* correct in referring to the whole system as a pendulum.

As an engineer, upon further reflection I think that a more apt description would be "running open loop". If you look at the U.S. Constitution, you'll realize that the so-called "checks-and-balances" put in place by the Founders, indeed the underpinnings of our entire Republic, are nothing but a series of carefully crafted negative feedback loops. The intent of those mechanisms was, of course, to prevent the government from going too far in one direction. The most basic of those is the fact that we can elect our leaders: the governments actions are processed by the population and fed back to the input as votes. Another loop was the original tariff system. It is complicated, but it worked for a long, long time, and had our elected leaders not fiddled with it continuously, would still be working now.

The problem is that Congress, with its fundamental incompetence and endless quest for votes, has opened most of those loops and the proper amount of negative feedback is no longer being applied to the system inputs. In fact, there's generally no negative feedback whatsoever: it's all going the other way. That's placed us in a swell of uncontrolled positive feedback which will eventually reach the maximum tolerance of the system.

In electronic terms, that usually means your output is locked to within a few millivolts of your positive supply voltage. In civil terms, it means a revolution is about to start.

Re:

[lysergic.acid]

while i don't disagree that our government leadership is incompetent, i think that the blame isn't solely on politicians. we did at one point live in a free and democratic society. a large part of the blame therefor rests on the the public. we have developed a culture of apathy, and as such no revolution could ever take place.

the reason for public apathy is two folds. firstly, the bipartisan system that our democracy has evolved into is inherently broken. but more importantly the 4th estate has failed to u

Re:

[Ambiguous Coward]

Yes. That's all I can say this this: yes.

-G

Re:

[Ambiguous Coward]

Also, apparently I can't even form a coherent sentence today. That should have read: "That's all I can say to this: yes." If only there were some sort of "preview" functionality!

-G

Re:

[Jah-Wren Ryel]

Remember the FBI under Hoover?

No. And that's a big problem.
The generation which experienced stuff like that is rapidly passing into senility or worse.

Re:

[symbolic]

The problem is that Congress is so damned spineless to begin with. The REAL ID act was passed in 2005, not after any discussion, debate, or vote, but only because it was slipped into a major spending bill by some self-serving Republican coward from Wisconsin. There wasn't even an effort to nullify it once it was discovered that it had passed - EVEN AFTER 17 states and a majority of Americans have voiced their opposition to it. It's about time Congress did its job already.

Re:

[freedom_india]

Congress is doing its job already: Crating jobs and boosting the economy.

After all you and i don't pay the cost of re-election campaigning.
It is done by corporates, who will stand to benefit from Real ID act.

Imagine the cost of contracting out large quantities of safeboard, ink, printing presses, plastic, computer systems to maintain, training, emergency services (someone enters his hand into a press), laser printers, etc.

And now imagine how much employment is generated when these people are needed for abov

Re:

[ScrewMaster]

Congress is doing its job already: Crating jobs and boosting the economy. [boldface mine]

Indeed. Congress is "crating" all of our jobs ... boxing them up and shipping them overseas. How that is supposed to boost the United States' economy is a mystery to me. Conversely, it is readily apparent how all those jobs have boosted the respective economies of India and China.

Re:

[freedom_india]

According to Reaganomics, if the rich get richer, the poor *can* get richer too, provided the richer trickle down the money in the form of pennies to the guy begging outside.

Economics is a zero sum game. For me to win, you have to lose.

Crating jobs to india does not mean if the jobs were not crated would be available in USA. It is more likely the cost of living would have increased a lot, but so too would have salaries.

Now by crating jobs, we enable the rich to earn more via LBO and IPOs.

Re:

[mpe]

If that's what it takes. Remember the FBI under Hoover? Did all kinds of abusive stuff, until it finally reached the point where Congress had to rein them in and enact strict controls on their behavior, mainly because Congress itself was threatened by Hoover's activities. Hell, the bastard had dirt on all of them. However, many of those restrictions on law enforcement were undone with the Patriot Act, CALEA and other poorly-designed laws designed to strip civil liberties from us. I have the feeling that we'

this actually shows the opposite

[nguy]

Real ID is going to be a nightmare.

I think the opposite is true. This TSA site is needed at all because right now it's hard to prove that you're not on the list of bad guys. If you carry biometrically secure identification and have a unique identifier, that becomes much easier. A lot of the intrusions into our civil liberties and the lack of privacy are a result of not having good identifiers.

In any case, the private sector is already going this route anyway with identification like the Clear card.

Re:

[mpe]

I think the opposite is true. This TSA site is needed at all because right now it's hard to prove that you're not on the list of bad guys. If you carry biometrically secure identification and have a unique identifier, that becomes much easier.

Thing is that outside of fiction such things simply do not exist. Any actual ID card scheme will at best be only as secure as current systems.

A lot of the intrusions into our civil liberties and the lack of privacy are a result of not having good identifiers.

Actu

Re:

[nguy]

Thing is that outside of fiction such things simply do not exist. Any actual ID card scheme will at best be only as secure as current systems.

Lots of countries have physical id cards that are nearly impossible to forge. Many of those have no electronic components at all, are fully human readable, and are excellent from a privacy point of view.

Actually what you need to know is intent knowing identity isn't actually of much use.

Identity tells you a great deal about intent. Countries like Israel, for example

Re:

[mpe]

Lots of countries have physical id cards that are nearly impossible to forge. Many of those have no electronic components at all, are fully human readable, and are excellent from a privacy point of view.

In which case the other likelyhood is infiltration of wherever these are issued or bribary/blackmail of those already working there. A more likely reason for a low level of id cards being forged is that (unlike those proposed in the US and UK) they are "low value".

Identity tells you a great deal about i

Poetic justice?

[oddaddresstrap]

I do not think those words mean what you think they mean.

Re:

[homey of my owney]

Poetic justice would have been that the lame contractor was being investigated by the FBI. Or that the TSA manager was.

Re:

[1u3hr]

Summary:
"The poetic justice is that Soghoian had been investigated for 6 months by the FBI and TSA because he pointed out a vulnerability in the US air transport system; no charges were ever filed."

TFA:
"I'd be lying if I said that I wasn't grinning from ear to ear with the news of this report.
It's poetic justice, if you will, for the unpleasantness that TSA put me through."

IN TFA it isn't really "poetic justice" either. It's just "justice", lacking any of the irony necessary to make it "poetic". But makes a

Summary misses the point entirely

[SpinyNorman]

The poetic justice is not that Soghoian (who exposed the vulnerability) was investigated by the FBI and TSA, but rather the exact opposite, that having been investigated by the FBI/TSA he was vindicated by the scathing congressional report agreeing with him. At least that's an accurate summary, although still a bit illogical since the FBI investigation was for a different issue altogether - him blogging about how to create fake boarding passes which doesn't seem the smartest thing to do if you are really concerned about security.

Re:

[gEvil (beta)]

I'm glad someone else mentioned that (and got modded up for it). I can't stand summaries that completely mangle the point of the story. And yet Taco et al just keep on shoveling them through...

Re:

[pipoca]

I'd not consider the whole fake boarding pass thing a threat to security (or rather, Soghoian's blogging about it) because anyone with an average IQ and a bit of time could think up of it (they check the veracity of the boarding pass and the fact that you have ID and a boarding pass separately. Is making a fake pass to go along with your ID that difficult an idea?!?). Posting about it is good because it forces the TSA to close a rather obvious exploit. Given that they ostensibly want security, the intel

Re:

[dr_d_19]

him blogging about how to create fake boarding passes which doesn't seem the smartest thing to do if you are really concerned about security.

So first you praise him for exposing one security vulnerability, but damn him from exposing another? Why should he keep quiet when it's obvious how to create a fake boarding card?

Well.

[xx01dk]

That's the last time I fly through Los Angeles then.

..."no charges were ever filed."

[iminplaya]

Yet. Doesn't mean they can't be some time in the future. And this investigation...or scathing congressional report? What will come of it? Will fines be paid? Jail time served? I've seen very little come from "scathing congressional reports" in the past. Will this one be any different? I would think not. Will any of this bring about a demand for freedom of movement without undue harassment? Will we finally vote for politicians who mention the word "freedom" at all? All the numbers indicate otherwise.

Nixon's the one [rvv.com].

Re:

[The_Wilschon]

Too bad they aren't being scythed by Congress instead...

Where is a good place to complain about the TSA

[dbc001]

Does anyone know a phone number, an office, etc that we can call to complain about the TSA?

Re:

[Deadstick]

https://forms.house.gov/wyr/welcome.shtml [house.gov]
http://www.senate.gov/general/contact_information/senators_cfm.cfm [senate.gov]

rj

TSA = Toothpaste Security Agency

[Anonymous Coward]

Why did the terrorists succeed on September 11, 2001? Conventional wisdom says the terrorists exploited a weakness in airport security by smuggling aboard box-cutters. What they actually exploited was a weakness in our mindset -- Crews were for years trained in the concept of "passive resistance." Everyone acted calm, and the crisis resolved with no loss of life. All of that changed when the first plane hit the north tower. What weapons the 19 men possessed mattered little, but it would never work again: Anyone pulling out a box cuter today would be dragged down by passengers.

Yet today the DHS and TSA are still focused on the box cuters. Patrick Smith of the New York Times points out just how pointless the TSA searches have become. Why for example do they confiscate tubes of toothpaste or shampoo bottles potentially containing explosive materials, only to throw them out in the trash unchecked? Why do cleaners and garbage workers handle these supposedly dangerous contraband unprotected? The ban on fluids itself flies in the face of scientific opinion: "The notion that deadly explosives can be cooked up in an airplane lavatory is pure fiction."

http://jetlagged.blogs.nytimes.com/2007/12/28/the-airport-security-follies/index.html [nytimes.com]

Re:

[WK2]

Why for example do they confiscate tubes of toothpaste or shampoo bottles potentially containing explosive materials, only to throw them out in the trash unchecked? Why do cleaners and garbage workers handle these supposedly dangerous contraband unprotected?

Every promotion at the TSA requires that you get beaten in the head. The people who you see on the floor doing menial labor have not yet been beaten in the head. They know that there is nothing to fear from toothpaste.

Re:

[ResidntGeek]

Why for example do they confiscate tubes of toothpaste or shampoo bottles potentially containing explosive materials, only to throw them out in the trash unchecked? Why do cleaners and garbage workers handle these supposedly dangerous contraband unprotected?

Remember the story they made up for that one: the tubes contain components of liquid explosives, which would have been mixed in the lavatory to make the explosives. The tubes don't contain explosives themselves.

Of course, the story's bogus, because t

Re:

[ookabooka]

Why for example do they confiscate tubes of toothpaste or shampoo bottles potentially containing explosive materials, only to throw them out in the trash unchecked?

OK, I here this meme all the time and it's finally annoyed me to post something. It's a preventative measure. A terrorist going to an airport wouldn't be able to easily take in liquid explosives (or otherwise nasty liquid chemicals) by stuffing them into toothpaste tube or shampoo bottle. Checking ALL the confiscated items would be prohibitivel

Re:

[mpe]

Patrick Smith of the New York Times points out just how pointless the TSA searches have become. Why for example do they confiscate tubes of toothpaste or shampoo bottles potentially containing explosive materials, only to throw them out in the trash unchecked? Why do cleaners and garbage workers handle these supposedly dangerous contraband unprotected? The ban on fluids itself flies in the face of scientific opinion: "The notion that deadly explosives can be cooked up in an airplane lavatory is pure fiction

Nothing new to see here, move along...

[xZoomerZx]

Does anyone remember the story of "The Emperor's New Clothes"? This is a story as old as time, only the names have changed. More of a continuing observation on human (mis)behavior, than anything else.

DHS and the TSA were never meant to actually prevent harm to any citizen, but rather as a transfer of power from the citizen to the government. In that context, the ineptitude, mismanagement, harassment, failures, and the 'kill the messenger' attitude, begin to make a kind of sense. Much as any despotic entit

representatives

[nguy]

Complain to your elected representatives with a short, politely worded letter. That's the most likely to get these practices stopped.

Re:

[NixonTurf]

I'm a DC resident and don't have an elected representative, you insensitive clod!

Incompetence Pays!

[sciop101]

USA is a controlled state.

Privacy is myth!

All information is available SOMEWHERE.

Pay the piper...

[hol]

Of course officials will blame the guy pointing out their failures rather than fix them. The DHS is second in power only to the IRS to act outside of the 5th amendment.

My bet is anyone with a permutation of Chris Soghoian's name already has a 'SSSSS' on his boarding pass.