Lax TSA Website Exposed Travelers' Information

sjbe sends in an old story with a poetic justice ending. Almost a year ago Chris Soghoian blogged about multiple security holes exposing visitors to a TSA site to possible identity theft. Wired and others picked up the story and the TSA took down the insecure site and fixed the problems. On Friday the US House of Representatives Committee on Oversight and Government Reform released a report (PDF; HTML summary) finding that the TSA contractor, Desyne Web Services, had received a no-bid contract for the faulty site from a former employee who was then a TSA project manager. TSA has taken no action to sanction the responsible parties for the vulnerabilities. The poetic justice is that Soghoian had been investigated for 6 months by the FBI and TSA because he pointed out a vulnerability in the US air transport system; no charges were ever filed.

What I want to know is ...

[ScrewMaster]

Why do we keep penalizing those individuals who have the fortitude to stand up and point out security issues, and then let those responsible for said flaws get away clean? Sounds like a decidedly bass-ackward approach to me, designed more to prevent public awareness of corporate and governmental malfeasance than anything else.

Nobody wants their dirty laundry aired, I understand, but attacking people that expose such egregious errors does nothing to improve matters. I mean, if I say publicly that "your Web site has x security flaws in it" and it turns out I'm lying, fine, sue me for libel or slander or whatever else. Or better yet, just ignore me. But if I make you aware of a serious problem and you do nothing but try to intimidate me into silence, you're obviously trying to cover your ass, and should be fired for incompetence.

Re:What I want to know is ...

[ScrewMaster]

True, but that's not what I mean. I'm talking about someone who is already an outsider discovering a problem. That's what this article is about: someone who found something and reported it, and was then attacked for it. This has been going on for some time. Generally speaking, if you find a problem with a corporation or government agency's Internet presence, you're better off keeping it to yourself. That's because odds are the people administering that resource don't really care about security, and are more interested in covering their asses at your expense.

It's a much better move, careerwise, for a network admin to say "some guy was trying to hack our system, and being the network guru that I am I got his name and number", rather than admit that "some guy found a major hole in our security system, and kindly reported to us."

There have been numerous cases of Good Samaritan types reporting an insecurity on a Web site, and having the sysadmins call up the FBI and report a "hacking attempt." Over the past several years I've been on misconfigured Web sites and FTP servers that gave me access to things I should never have been allowed to see. My normal instinct would be to report the problem to the site's administrators ... but I wouldn't take the chance, not anymore. I have no interest in having the Feds knock at my door and arrest me on some bogus antiterrorism charge. If I see anything I don't think was meant to be public, I immediately get out and never go back.

This is not the same thing as being a whistleblower, which is what you're referring to. See, someone who is truly interested in securing a system would investigate such reports, from any source internal or external, and fix them. What we've been seeing is that it's more important to simply squelch such complaints at any cost, rather take the heat for one's mistakes. Worse, given the current legal situation in the U.S. a corporation that files a false hacking report can screw somebody up for life.

That's where I draw the line.