Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lax TSA Website Exposed Travelers' Information

Posted by kdawson on from the speaking-truth-to-stupidity dept.

sjbe sends in an old story with a poetic justice ending. Almost a year ago Chris Soghoian blogged about multiple security holes exposing visitors to a TSA site to possible identity theft. Wired and others picked up the story and the TSA took down the insecure site and fixed the problems. On Friday the US House of Representatives Committee on Oversight and Government Reform released a report (PDF; HTML summary) finding that the TSA contractor, Desyne Web Services, had received a no-bid contract for the faulty site from a former employee who was then a TSA project manager. TSA has taken no action to sanction the responsible parties for the vulnerabilities. The poetic justice is that Soghoian had been investigated for 6 months by the FBI and TSA because he pointed out a vulnerability in the US air transport system; no charges were ever filed.

8 of 81 comments (clear)

  1. Another concrete example by $RANDOMLUSER · · Score: 3, Interesting

    Of why DHS is out front and pulling away in the "Scariest Agency" poll.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  2. What I want to know is ... by ScrewMaster · · Score: 5, Interesting

    Why do we keep penalizing those individuals who have the fortitude to stand up and point out security issues, and then let those responsible for said flaws get away clean? Sounds like a decidedly bass-ackward approach to me, designed more to prevent public awareness of corporate and governmental malfeasance than anything else.

    Nobody wants their dirty laundry aired, I understand, but attacking people that expose such egregious errors does nothing to improve matters. I mean, if I say publicly that "your Web site has x security flaws in it" and it turns out I'm lying, fine, sue me for libel or slander or whatever else. Or better yet, just ignore me. But if I make you aware of a serious problem and you do nothing but try to intimidate me into silence, you're obviously trying to cover your ass, and should be fired for incompetence.

    --
    The higher the technology, the sharper that two-edged sword.
    1. Re:What I want to know is ... by ScrewMaster · · Score: 4, Interesting

      True, but that's not what I mean. I'm talking about someone who is already an outsider discovering a problem. That's what this article is about: someone who found something and reported it, and was then attacked for it. This has been going on for some time. Generally speaking, if you find a problem with a corporation or government agency's Internet presence, you're better off keeping it to yourself. That's because odds are the people administering that resource don't really care about security, and are more interested in covering their asses at your expense.

      It's a much better move, careerwise, for a network admin to say "some guy was trying to hack our system, and being the network guru that I am I got his name and number", rather than admit that "some guy found a major hole in our security system, and kindly reported to us."

      There have been numerous cases of Good Samaritan types reporting an insecurity on a Web site, and having the sysadmins call up the FBI and report a "hacking attempt." Over the past several years I've been on misconfigured Web sites and FTP servers that gave me access to things I should never have been allowed to see. My normal instinct would be to report the problem to the site's administrators ... but I wouldn't take the chance, not anymore. I have no interest in having the Feds knock at my door and arrest me on some bogus antiterrorism charge. If I see anything I don't think was meant to be public, I immediately get out and never go back.

      This is not the same thing as being a whistleblower, which is what you're referring to. See, someone who is truly interested in securing a system would investigate such reports, from any source internal or external, and fix them. What we've been seeing is that it's more important to simply squelch such complaints at any cost, rather take the heat for one's mistakes. Worse, given the current legal situation in the U.S. a corporation that files a false hacking report can screw somebody up for life.

      That's where I draw the line.

      --
      The higher the technology, the sharper that two-edged sword.
    2. Re:What I want to know is ... by couchslug · · Score: 2, Interesting

      "Why do we keep penalizing those individuals who have the fortitude to stand up and point out security issues, and then let those responsible for said flaws get away clean? "

      In order to teach whistleblowers that the best way to point out security issues is to post the 'sploit anonymously and watch the enemy agency get hammered. It is obvious that these government agencies resent attempts to "help" them and will attack those who try. Stop Trying.

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  3. ..."no charges were ever filed." by iminplaya · · Score: 3, Interesting

    Yet. Doesn't mean they can't be some time in the future. And this investigation...or scathing congressional report? What will come of it? Will fines be paid? Jail time served? I've seen very little come from "scathing congressional reports" in the past. Will this one be any different? I would think not. Will any of this bring about a demand for freedom of movement without undue harassment? Will we finally vote for politicians who mention the word "freedom" at all? All the numbers indicate otherwise.

    Nixon's the one.

    --
    What?
  4. I agree.. by Newer+Guy · · Score: 2, Interesting

    A couple of years ago I was in San Francisco. I needed to check my email and there was an open access point. After checking mail, I checked "My Network Places". Their ENTIRE network was a big file share and it was WIDE OPEN! This was a medical facility and there were hundreds of patient records right there. I got out of there as fast as I couod and never went near there again! With the "shoot the messinger" attitude out there these days, who in their right mind wants to be the messinger?

  5. Re:Poetic justice? by Snorpus · · Score: 2, Interesting
    Yeah.... Poetic justice would be if the contractor who did such a poor job found his own personal details posted all over the 'net, because of holes in his own system.

  6. Re:Summary misses the point entirely by pipoca · · Score: 2, Interesting

    I'd not consider the whole fake boarding pass thing a threat to security (or rather, Soghoian's blogging about it) because anyone with an average IQ and a bit of time could think up of it (they check the veracity of the boarding pass and the fact that you have ID and a boarding pass separately. Is making a fake pass to go along with your ID that difficult an idea?!?). Posting about it is good because it forces the TSA to close a rather obvious exploit. Given that they ostensibly want security, the intelligent thing to do is plug said holes (which, so far as I can tell, has not yet been done), not persecute the person willing to point out the fact that they're being a bunch of idiots and leaving glaringly obvious exploits availible. Oh wait, I forgot. The TSA couldn't give a rat's ass about security - they only care about giving people the illusion of security.