Schneier on Security
A blog covering security and security technology.
« Italians Use Soldiers to Prevent Crime |
| NSA Forms »
August 5, 2008
Laptop with Trusted Traveler Identities Stolen
Oops. A laptop with the names of 33,000 people enrolled in the Clear program -- the most popular airport "trusted traveler" program -- has been stolen at SFO. The TSA is unhappy.
Stealing databases of personal information is never good, but this doesn't make a bit of difference to airport security. I've already written about the Clear program: it's a $100-a-year program that lets you cut the security line, and nothing more. Clear members are no more trusted than anyone else.
Anyway, it's easy to fly without an ID, as long as you claim to have lost it. And it's also easy to get through airport security without being an actual airplane passenger.
None of this is security. Absolutely none of it.
EDITED TO ADD (8/7): The laptop has been found. Turns out it was never stolen:
The laptop was found Tuesday morning in the same company office where it supposedly had gone missing, said spokeswoman Allison Beer.
"It was not in an obvious location," said Beer, who said an investigation was under way to determine whether the computer was actually stolen or had just been misplaced.
Why in the world do these people not use full-disk encryption?
Posted on August 5, 2008 at 12:09 PM
• 65 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I noticed the Clear kiosk when I was standing in a security line a few weeks ago. The main thing I noticed was that I was through the regular line relatively quickly (less than 10 minutes). So, for the privilege of shaving 10 minutes or so off your wait in that particular line, you get to pay $100 annually and have your personal data stolen. You know, I actually feel kind of sorry for the poor suckers who fell for this nonsense. I hope cutting in line makes up for all the work they'll have to do and the money they'll have to spend fighting identity theft if this data gets sold.
By the way, when can we stop having "trusted traveler" and the like where the average Joe has to prove he's innocent and start having "trusted official" where it's up to the officials to prove they're A) competent and B) not on the take?
"Follow the money."
It worked in 1973 and it would work today if they would JUST DO IT
"Follow the money."
And the 30,000 lost identities will doubtless add to further bloat on the no-fly list, another security boondoggle ...
Don't these people ever learn???
Shouldn't that subcontractor and GE be prosecuted for failing to follow TSA guidelines…?
They should still be prosecuted, or have charges filed against them by everyone on the Clear system list. That has got to be one unhappy bunch.
"None of this is security. Absolutely none of it."
Agreed. That much is clear.
Apparently TSA's requirement that Registered Traveler providers use data encryption was poorly enforced and has no teeth other than suspension of new enrollments.
It still amazes me how many people don't grasp that a little drive encryption can change their exposure from tons of bad press and millions of dollars in penalties and cleanup to $2,000 to buy, image and deploy a replacement laptop.
Before we went to enterprise-wide mandatory drive encryption on laptops and desktops about four or five years ago, our last lost laptop cost about three million for all of the consumer disclosures and credit report monitoring for the affected customers. Now thats teeth. (ouch!)
Umm... if subscribers aren't any more "trusted" than anyone else, then... why do they have to give "sensitive personal information" in order to sign up?
I suppose one could make a business case that Clear should identify their customers uniquely so that every "John Smith" must pay his (or her) own fee, but I suspect it's just the old habit of many "Security" types: gather all possible information about other people. Ask them why, and they give you a blank look and say "Security".
I smell an expensive class-action suit. The incompetence of the TSA is painful.
Perhaps corporations and government entities need to adopt strict policies about storing personal data on laptops and other portable hardware; it seems like a simple solution to a fairly common problem. Or at least ask themselves if it's really necessary to carry around all this data.
I hope this means all the Clear enrolees will get /extra/ screening. Their identity might have been stolen, so anyone claiming to be on the program could be a terrorist!
No malice towards them, individually. I just want to see another TSA program be an obvious, public failure.
Well, crap; how can I test my fake identities ahead of time with the program shut down :(
I like to think its just the universe's way of evening the score...http://yro.slashdot.org/article.pl?sid=08/08/01/0958242&tid=158
I perused the TSA Web site. Some of the things I read there are jsut astounding:
"Good security requires treating all people the same, regardless of age, ethnicity or physical condition." from http://www.tsa.gov/press/madness/...
and whenever I fly, and hear in the waiting line, "Security is everyone's responsibility" from the TSA video, I just want to yell, "Nuh-uh!"
You could at least use the local link for that story (which includes the Slashdot link): http://www.schneier.com/blog/archives/2008/08/...
Anyway, it should be noted that 'Clear' is a private service, not directly associated with the TSA, and the link above is to do with border guards, so there isn't necessarily any direct connection aside from laptops sprouting legs and wandering off...
'...Allison Beer, a spokeswoman for Verified Identity Pass Inc., said the laptop was found tuesday morning in the same secured room at the airport that it went missing from and that officials are working to determine whether any of the data was compromised..'
So...maybe someone took it home to play?
As it was so eloquently put in another forum:
"No wonder they want to seize and inspect people's laptops. They're trying to find their PC!"
Absolutely unreal. It's nice to know that they follow security practices lamer than how we handles computers AT MY HOUSE.
There are now 33,000 people who will be wishing they hadn't given up easy to copy but difficult to change information. Whoops.
That laptop went missing for a reason, presumably to take it somewhere to copy off the data. It was "announced" as returned to take the heat off the vendor (of course, speculation on my part).
Interestingly, two months ago when I was at SFO I saw the Clear people doing signups, and actually thought to myself, "that's not a very secure setup they've got. I'm sure that laptop has interesting information on it, like a list of people that won't get as much TSA scrutiny."
why the hell is it living on a laptop? it should be on a server somewhere where you have to go through multiple layers of security.
But they said it's protected by two passwords. Aren't BIOS and Windows passwords sufficient for protecting data??
This is weird... I'm subscribed to the SFGate Crime RSS feed. In my reader, the story says "TSA: Laptop with Clear applicants' info missing" but when I click on it, I get a story that says "TSA: Laptop with Clear applicants' info found". The CBS 5 story that Bruce links also now indicates the laptop was found.
Interesting that the laptop was found so quickly after the story was published. I also find it interesting that both SFGate and CBS 5 have apparently updated the original news item instead of issuing a new one. I guess the original stories went down the memory hole?
I just flew through sfo so I walked up and asked the clear reps whether the story was true.suprisingly they were happy to share details to a complete stranger about the incident.
"Oh yes, it was our laptop in the office but there's no need to worry because it is double-encypted."
Oh, double? Not super-size or grande encryption?
I'll spare you the details, but believe me it was funny.
The best part was at the end when they asked me to sign-up for clear today.
Felt like a scene from WallE -- welcome to Buy and Large security.
why such thing as "trusted traveler" program exists in the first place. smells like privatization of something that is meant to be public good. good software for travel pattern analysis could act on travel records alone to establish one as frequent traveler.
I will be not surprised if most of those tricks explained in the "Airport" novel by Arthur Hailey will work our days.
Ironically enough, the new 'seize-a-laptop' border policy would get someone traveling with double-encrypted data to be stopped at the border...
It's not terribly expensive, and it doesn't cripple your system performance.
Did anybody ever find out what "personal data" was on the computer? I thought it was the access control computer, containing the goofy biometric data they use to make sure you're in the program. It's not obvious how to turn a fingerprint hash of retina scan hash into identity theft.
Clear is a membership club, you're buying access to a security line that has fewer people in it. It's not less security cloak-and-dagger, it's just less waiting for the other folks in line to go through the TSA-approved security incantation.
Bruce says "None of this is security" and it's likely Clear would agree. They aren't selling security. They are selling the elimination of other people from the queue in front of you. That's not a security function, it's a time-waste reducing function.
While we might like to see the TSA stop wasting everyone's time, that would be a different blog topic.
Hmmm..maybe customs seized the laptop. They should check there.
about the border patrol finding it...
i doubt that they will find it!!! there to busy trying to keep me from stealing a 3 min 128kbps p.o.s. mp3 that didnt cost any one a dime to make a copy of!!!!
"Under ACTA, border patrol agents will be able to seize peoples ’ laptops, iPods, and other electronics which they suspect contain illegally-obtained media. If the border patrol thinks they've found such media on the devices, they are authorized to DESTROY them at their DISCRETION."
o so kid you have the new hip hop track let me see your 400$ ipod *steps on it* you couldnt have bought that.
So it disappeared a week ago and they only told people about it today? Then found it the same day everyone was told!
Buy & Large Security - very good.
"officials are working to determine whether any of the data was compromised"
How would they be able to tell?
If I copy the files for off-line cracking, no trace of the copying is left on the original disk.
After all, this is fundamental to computer forensics: always copy, never modify the original.
What I don't get is why people need to copy a database to their laptop. I know databases can serve information over a network and internet connectivity is fairly ubiquitous. So what are all these databases with sensitive information doing on people's laptops?
Yeah I was wondering the same thing. Why put such data on an easily removed piece of equipment. I would have thought they would put it into a server and bolt it to the floor. Though, more surprising, is that its not the US govt. that is handling this- but an outside company (ok maybe not so surprising, but upsetting).
Clearly, all the names of the people whose information was on this laptop need to go on the no-fly list now.
That way, two ridiculous, pointless, expensive programs can be rendered completely and publicly useless in one swift action.
TSA is funny. USA gov handling of 9/11 is funny. Pathetic == funny, because thats all we got for ~1 Trillion dollars.
Leadership of W and others is quite funny as well. Oh well.
Do you want to trust your government with your healthcare?
Democrats are also setting up some BAD police style stuff, while pointing the finger at Republican abuses, classic Soviet Union revolution style.
Enjoy the drama today, it really is funny.
To the many who are wondering why the data need to be on the laptop (rather than on a server, etc.): the assertion I read is that having the data local makes signing people up in areas w/out network connectivity (such as a company cafeteria) easier.
I suppose they just signed up 33,000 people in a really big cafeteria, then? Or could it be that the entire architecture is friggin' brain-damaged from the get go?
A statement by the Clear company said that "names, addresses and driver's license or passport numbers" were on the laptop.
According to them, the laptop also "required two passwords" to access the data.
This is undoubtedly what the happy smiley Clear reps were trying to tell me when they said "double-encryption" was in place so no need to worry.
Whew. Two passwords on a laptop.
Perhaps most amazing of all is that TSA ever let the program start without any requirement or compliance standard for information security.
What do you need to do to start your own Clear-like program?
Perhaps you can just buy a laptop, put a few kiosks in an airport, setup a webpage with marketing material about privacy and you're good to go? Was there a giant lobby fee or maybe some campaign contributions required?
Like most things in the Bush Administration, there is some kind of weird secrecy around the origins of this private-public arrangement. This is the best and only detail I could find:
"Interested parties must describe in their response how they would provide program management, biometric capabilities, tactical operations and systems integration support. TSA plans to award the final contract in early June."
Notice that "security" and "privacy" are not mentioned.
This proposal document used to live here:
"None of this is security. Absolutely none of it."
Of course, it is not. It is called "racket" and is the only business of all governments since antiquity.
The naivete of Western people (including some of the most intelligent people - this is a compliment, Bruce) is truly amazing. What a discovery - the government doesn't care about anything but the good of its bureaucrats. Most children in the USSR knew that by about the time they went to school.
Now, how about growing up and finally accepting the fact that the government is the enemy of any decent person?
Yes, it's rather convenient that somebody just walked into that room it just happened to be back on the table where it belonged.
They might find traces of activity if the machine has been turned on since it went missing, but anyone remotely competent could just take out the drive and copy it in another machine, leaving no traces unless there was some sort of seal on the drive bay. Alternatively, one could boot from a live-linux CD or something, and copy everything over a network without leaving any traces at all.
There is absolutely no point in having this data on a laptop, since UMTS and GPRS access are dirt cheap these days, and most of the time, it will probably be in range of a wireless network anyway. Just make sure you use a properly encrypted and authenticated tunnel, and only send data to the server for storage and verification, instead of sending the stored data from the server to the client.
Averros, well the gov is NOT the enemy of decent people, just the government that has been in place since the cold war ended.
Boil a frog slowly, thats been the long plan.
The government, while funny and wastefull, keeps faction fighting faction, and hopefully a sytong push to something like a middle. Only 'justice' that stays long term.
Optimization is the root of all evil, get rid of the gov or strip it away, and you got serious evil.
Read the Federalist, and Democracy in America, still VERY critical today.
Real great minds are correct and proper leaders. Sadly today things are a bit more __________ [fill in whatever you like]
Thankfully, USA promotes or tolerates ideas and debate, like this website, that help steer the path to righteousness.
Re: According to them, the laptop also "required two passwords" to access the data.
You can simulate this double-secret security on your own laptop. When logging on, you type the first part of the password, a colleague types the second part, and you press Enter. For the lost laptop, these parts would be "password" and "1" respectively.
indeed, it is rather sad that many people, even those who ought to know, think that just because they can't login in windows without the proper password, nobody else in this world can. That it is even possible, let alone very easy, to pull the drive and read it in another machine, is completely beyond them. Most people don't actually realize that computers are designed by people, to them, it's nothing but a box of black magic.
The problem with all this is, that most people don't even understand that a problem exists, let alone understand the details and a solution (like encryption). The question is, should the masses be educated, and who should do that?
A latop is reported stolen. It is assumed that someone broke into the office.
But if the laptop was never missing, were there still signs that the office had been broken into? What, then, was taken? Did the police investigate the crime scene?
If the laptop was assigned to a single person, how did they manage to misplace it? If assigned to a group of people, why are there not check in/out procedures to be followed?
"We found it, everything's okay," sounds nice, but it raises other questions.
So now that their information has been compromised, does that mean they have to be added to the terrorist watchlist instead?
That's irony for you. I hope they get a refund at least.
I've lost the nuclear launch codes! Someone simply took them when I fell asleep at work!
We're all doomed!!!
Oh, wait ... no, here they are.
I just misplaced them.
Everyone go back to what you were doing.
i will be very curious on their response.
just out of curiousity, are there any readers of these comments who are enrolled in this or a competing program?
They aren't selling security. They are selling the elimination of other people from the queue in front of you. That's not a security function, it's a time-waste reducing function.
indeed most people who understand security feel this way, but if you check out the CEO's message at www.flyclear.com:
I started Verified Identity Pass with a simple idea: In the post 9-11 era we have to take new measures to protect ourselves yet not destroy our way of life by strangling the free flow of people and commerce. Somehow, we have to find common sense solutions that don't make everyone a suspect and create security bottlenecks everywhere we go. To be blunt, that means we need a fair, sensible way not to treat everyone the same when it comes to terrorism protection.
Because when it comes to security at an airport or any place else, we have to think about how we allocate scarce resources and time.
Security experts call this idea "risk management," by which they mean they concentrate more on greater threats and less on lesser threats. It does not mean risk elimination. Just because someone has no record of being a threat doesn't mean they might not suddenly become one (which is why you'll still go through the metal detector.)
At Clear, we see ourselves, first and foremost, as exactly that kind of common-sense risk management solution to the security bottlenecks that are the by-product of the post-September 11 world.
it seems that they are indeed positioning themselves to sell security.
when the physical security of airline passengers is at stake, wouldn't it be a good idea to have a Plan B that gives an agency the option to destroy data if a breach is suspected? If that laptop hadn't turned up, or in the case that the laptop was stolen, breached and returned, the data contained within could make it easier for dangerous people to travel undetected. This puts anyone who travels by plane at risk.
Even full-disk encryption isn't a failsafe. The option to remotely destroy data seems like a reasonable one when it comes to people's lives.
"It's not so much a security issue as a violation of personal information," said TSA spokesman Nico Melendez. -- Dear TSA, why is someone's personal information NOT a security issue?
Just because the PR people who put up the web page think attributing those words to the CEO is the best marketing message does not change my opinion. When you say "it seems that they are indeed positioning themselves to sell security" my reaction is that talking all patriotic about security isn't actually selling security. Lots of folks claim their proprietary super sneaky encryption tool is secure. Web site claims aren't really facts.
The article previously referenced by Anonymous (http://www.theinquirer.net/gb/inquirer/news/2008/08/06/stolen-laptop-traveler-ids) implies that the laptop was indeed missing and that it was later returned to the same spot from which it was taken.
Maybe customs wanted to try out some of their new drive-mirroring n' cracking tools on it.
The real question here has nothing to do with the Clear programme, or the fact that the laptop went "missing." The real question is why this information is on a laptop in the first place. I can think of no reason other than pure laziness that actual live data is allowed to be taken on a laptop, instead of left in a database (on a server) where it belongs.
I can guarantee that the TSA sop that uses that laptop isn't doing anything with that data that can't be done with dummy data. Just one man's opinion.
Your Mission is to remove, copy, selectively alter, and replace the laptop and its data without being intercepted.
As always, if you are captured, the Secretary will deny all knowledge of your activities.
I suspect that Clear saw their business about to evaporate when the TSA suspended the program, and 'found' the laptop as quickly as possible. If the data was encrypted, the program wouldn't have been suspended to begin with.
Yet another reason to not use this program. If your driver's license number is stolen get a new one. It's a bit harder for a fingerprint or iris.
Hmmm...we lost your info...no! we found it (hahaha). Maybe the TSA didn't have the $330,000.00 to refund to everyone signed up. This is a sham and conspiracy, people. It's to avoid a class action suit.
Uh, so i might just not have all the data on this clear pass thing, but what it seems like so far is no one is getting the idea that i am. It seems the creaters of "clear pass" are profiting off of our countries fear of terrorism. "ok, so, we put TSA in all airports, do crazy checks on everything, this creates long, crappy lines, and then we offer the ability to skip all of this for $100". Also, from what it looks like, anyone with $100 isn't a terrorist.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.