Schneier on Security
A blog covering security and security technology.
« More AACS Cracking |
| Real-World Back Doors »
February 20, 2007
TSA Website Hacked?
27B Stroke 6 has the details. Christopher Soghoian (of the boarding pass generator fame) appears to have been the first person to notice.
Posted on February 20, 2007 at 6:20 AM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
There's an interesting post on Soghoian's article by 'anonymous' claiming that pretty much all airline employees now have access to the TSA no-fly, selectee, and cleared lists. I do hope some public spirited worker makes them public.
Shouldn't the TSA now be worried that the No-Fly list will be used to create ficititious instantiations of the list members solely for the purpose of committing cybercrimes?
Talk about chasing phantoms ...
And the damn PDF still doesn't have an OMB control number.
Abolish TSA already!
Looks like the contractor put up a proof of concept website for evaluation purposes, and someone at the TSA made the mistake of actually linking to it. That explains why it's up early, and why not all the t's are crossed yet. Still very embarassing for both the contractor (at least spell-check your stuff before handing it over) and the TSA.
Has anyone considered the possibility that we're putting too much pressure on the TSA?
I'm not trying to condone what happened here, but they're a big agency with lots of rules and supervisors, many of whom may be necessary. Things take time. It sucks when you're the one who's targeted by unfair profiling, but forcing them to put up a web site in one month leads to this kind of sloppiness and doesn't stop the unfair profiling.
FP is right: the contractor should be embarassed. But, for all we know, the job ended up getting done by some fresh-out-of-school kid overnight, after 90% of the time allotted was spent getting approvals and determining requirements. Copy is usually provided by the client (the TSA), not the contractor. I've seen clients take my perfectly-worded and multiply-checked copy and force me to introduce errors because their concept of correct grammar or spelling is plain wrong.
Much as John Q. Public would like to think that securing a country is a trivial job, it's not. Someone should be accountable for this particular problem, but let's not disband the TSA just yet.
Absolutely not, the TSA is one of the more draconian parts of the DHS. They are wasting money, reducing security, already corrupt, and rescinding freedoms. It's not possible to apply to much pressure until the agency is dissolved.
Better knowing now what is cracked, than during an emergency situation. If the communications system doesn't work, it could compromise other operations. As far as too much pressure, the system should be robust enough to handle anything thrown at it and still remain intact and operational.
Just to follow up on Jim's point:
Resilience and failing gracefully are essential traits of anything that purports to provide national security.
There was the first part of a three-part series on NPR this morning with Stephen Flynn talking about port security where he makes a similar point.
Regardless of what measures we take to prevent emergencies, they WILL happen (hurricanes and earthquakes, even if there were no terrorist attacks). We need to pound on the DHS until they realized that Katrina was a worse failure than 9/11.
At this point, both the World Trade Center attacks and Hurricanes Katrina and Rita are in the past. Pounding on the DHS until they realize which was worse won't do anything for the future, and is likely to have little effect other than encouraging them to take an even more defensive posture.
Criticism of the agency should be constructive, and aimed at encouraging better responses to potential future events, rather than beating them up for past failures that they won't be able to do anything about until time travel becomes a reality.
Absolutely not. The word is FEEDBACK. In traditional English, it was responsibility. Isn't that the complaint of the right-wingers against such concepts as welfare?
You can't be just forward looking, you have to look at past failure, and recognize the failure points, including both procedural and individual failures. The people and organizations that fail need to be held accountable, if you hope to construct better systems going forward. Otherwise, all you will get is the "constructive criticism" going into an intellectual wastebasket.
Why fail students when they fail at an assignment? Isn't that beating them up for the past, when we should be "encouraging" them? We can see how well that philosophy has worked for our educational system. Let's release all the prisoners --- they can't undo their past mistakes, now can they? Or is it just different for the people at the top?
I'm with Aaron and Stephen Samuel. These poor TSA folks are the real victims here.
It's not fair of us to expect them to confiscate nail clippers, cough syrup, and baby formula while simultaneously worrying about unimportant things like SSL certificates, OMB numbers, and grammar.
If their website looks like the work of Romanian phishers, that's an obvious indicator that we should give them more money and encouragement. And a big cuddly hug.
In and of itself, an "F" tells a student only that they didn't perform up to standards. It doesn't tell them what they need to be doing to improve their grade. In that sense, the "F" - in and of itself - ISN'T useful feedback. I would hope that when your teachers failed you for things, they at least had the sense to tell you exactly where your errors were, rather than just handing you an "F" and walking away.
My criticism of Damon's point was that simply saying: "We need to pound on the DHS until they realized that Katrina was a worse failure than 9/11," is non-productive. Okay, the WTC attacks were a "D" and the hurricanes an "F." So what? How does making that point by itself improve anything? It doesn't take a rocket scientist to tell you that the response to the hurricanes was an absolute disaster, and ought never to be repeated. I'm not saying that DHS did anything resembling a competent job. But we should be pointing out the specifics of what didn't work, rather than just harping on the simple fact that they did a poor job.
There are a large number of people who feel that, given enough criticism, the Administration will be forced to dismantle the DHS. Given their current track record for recognizing bad ideas, I'm not holding my breath on that one. So I'd rather focus on making the current DHS LESS broken and incompetent than it is now, rather than simply beating a dead horse.
I'd agree that an F isn't optimal --- but it is useful. You many not know the direction of your error, but at least you know that you are in error, and a bit of searching may help you find the gradient.
I just don't agree that positive feedback is sufficient either. You need the carrot and the stick, not just the carrot. A feedback system needs a gradient, and hugs+kisses does not a gradient make.
You can't make the DHS less broken until you dump the buffoons who are making it broken -- and I'd agree, the problem doesn't start with dismantling DHS. It's got to start with the bosses -- a grossly, maliciously incompetent Administration. Without fixing that, none of our criticisms will ever be efficacious.
Well, I feel safe that if I fly to the US from the EU all my details, bank records and email account contents will be held by the TSA.
would not be surprised if the so called contractor for TSA subcontracted the coding work to AlKadaCodingInc.
I don't agree that exclusively positive feedback is useful either - and I never advocated that. Constructive criticism is a completely different animal - it's NOT just hugs and kisses. There's nothing that says firing folks can't be constructive for an organization. But it is designed to be forward looking.
I was having a medical procedure, and a new technician was inserting an IV. He kept missing the vein. The supervising doctor offered no other advice than "you missed," which, I assure you, we were ALL aware of (none more so than myself). I would have been much happier if the doctor had offered guidance on what the technician was doing wrong, and how to correct it, rather than just handing out "F"s, which lead to a painful (for me, anyway) exercise in trial and error. (He did eventually get it right, however.)
I use that example, because the DHS's poor performance leaves people's health, lives and property on the line. It's very important that they get it right next time. And I agree with you 100%, simply saying "you failed" or just cheering the little things they do get right, isn't an optimal way to ensure they do get it right next time.
In my experience, nobody gets an F without *knowing* they were in trouble.
If those in charge of the TSA know it's in trouble, they need to ask for help. If they don't know, then the responsibility of running it needs to be taken away from them.
I don't know what you read, Aaron. The page Bruce links to contains a whole lot more than a simple letter "F".
@the other Greg, re-read all Aaron's posts.
He clearly states in one of them that he is responding to a previous comment by Damon, not the base item by Bruce.
Why is it that some people want to turn everything into 'George W Bush and Wal-Mart are evil'? Interestingly enough, the very same people who want the president kicked out are the same people who tend to see positive enforcement as a good way to learn.
Move on, folks. Aaron's dead-on in saying that looking back and grading won't help. Make sure they're self-critical and that they're learning from their mistakes. Don't rub their nose in it with a childish, "I told you so." Being overly critical and grading leads to bureaucracy: look at what an average teacher spends most of their time on and compare to how good it would be if we taught our kids to be appropriately self-critical.
As an American, you implicitly agree with the system that got George W Bush elected and created the DHS. You also implicitly agree with the system that some guy (like you) can't just decide that the TSA needs to go, so it goes. You may not agree with *who* got elected, but *how* they got elected is fair and established, and that same how is going to keep the TSA around. If you don't like it, get out and vote, or run for office yourself. Once you get there, you'll realize that nothing is as trivial as you're making it sound.
@stephan samuel, "*how* they got elected is fair and established" is in fact untrue for the present administration.
The mechanism by which the Florida vote was stolen in 2000 has been clearly established and is well documented and well understood.
Oh, ok, if you define stealing elections as fair your statement stands as correct...
Or, put another way, dubya is prez just 'cuz he got the black vote that counted: Clarence Thomas.
When tested, even when agents are warned beforehand the test is coming, the TSA is incapable of stopping bombs or guns from getting past the security station. This would seem to give them an "F".
Unfortunately, there hasn't yet been another 9-11 style attack; this "evidence" would seem to suggest that the TSA's nail clipper and hair gel confiscate and resell scheme coupled with fondling busty women, AARP members, and toddlers is working brilliantly. When confronted, the TSA simply points to their apparent success in preventing hijackings as justification for their extraordinary breaches of the US Constitution and their cost in time, resources, and money.
I say - bring on any and all criticism.
The 'Bush stole the 2000 election in Florida' argument is weak.
First, the US doesn't have direct popular elections. Someone made a decision and it's too bad if you don't like it. Americans who don't like it can do the work to get themselves into the electoral college, or have it abolished.
Second, Florida is one state. Everyone who makes the 'vote was invalid' argument seems to forget that the race was otherwise close. It's not like Bush was losing by a landslide and then Florida popped in there and skewed the whole thing.
Third, we have a process for deciding re-counts and we used it. Back to the original argument, Americans implicitly agree to it, or they have the opportunity to try to change it. It hasn't been changed significantly since then, which means the population as a whole doesn't mind it enough to change it.
Fourth, the amount that the vote was off was smaller than the margin of error for a national election. It's statistically insignificant, which is one of the reasons for the electoral college in the first place.
Fifth, everyone who makes the 'Bush stole the election' argument seems to assume that he would have lost had there not been any problems. For all you know, he may have won by an even larger margin had there not been any problems. Given all the facts that can be supported, it's just as likely that Gore attempted to throw the election but botched it.
President George W. Bush won the presidential race by the best standard that the United States had on November 7, 2000. Since that was the sole criterion that we used to decide on who became President at the time, he won "fair and square." In the United States of America, it is a criminal offense to throw an election. President George W. Bush has not been convicted of such a crime. Until he is, any statement you make to the contrary is not factually correct.
I spotted the problem when an email with a link to TSA site was forwarded to me on 12/04/06. On 12/12/06 TSA responded with a generic message explaining the purpose of the site with no reference to the problem described.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.