Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lax TSA Website Exposed Travelers' Information

Posted by kdawson on from the speaking-truth-to-stupidity dept.

sjbe sends in an old story with a poetic justice ending. Almost a year ago Chris Soghoian blogged about multiple security holes exposing visitors to a TSA site to possible identity theft. Wired and others picked up the story and the TSA took down the insecure site and fixed the problems. On Friday the US House of Representatives Committee on Oversight and Government Reform released a report (PDF; HTML summary) finding that the TSA contractor, Desyne Web Services, had received a no-bid contract for the faulty site from a former employee who was then a TSA project manager. TSA has taken no action to sanction the responsible parties for the vulnerabilities. The poetic justice is that Soghoian had been investigated for 6 months by the FBI and TSA because he pointed out a vulnerability in the US air transport system; no charges were ever filed.

16 of 81 comments (clear)

  1. Re:Like most security theater in this country ... by Kelz · · Score: 5, Funny

    Did they mean "lax" as in "Loose and not easily retained or controlled." or LAX as in the airport?

  2. Another concrete example by $RANDOMLUSER · · Score: 3, Interesting

    Of why DHS is out front and pulling away in the "Scariest Agency" poll.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  3. What I want to know is ... by ScrewMaster · · Score: 5, Interesting

    Why do we keep penalizing those individuals who have the fortitude to stand up and point out security issues, and then let those responsible for said flaws get away clean? Sounds like a decidedly bass-ackward approach to me, designed more to prevent public awareness of corporate and governmental malfeasance than anything else.

    Nobody wants their dirty laundry aired, I understand, but attacking people that expose such egregious errors does nothing to improve matters. I mean, if I say publicly that "your Web site has x security flaws in it" and it turns out I'm lying, fine, sue me for libel or slander or whatever else. Or better yet, just ignore me. But if I make you aware of a serious problem and you do nothing but try to intimidate me into silence, you're obviously trying to cover your ass, and should be fired for incompetence.

    --
    The higher the technology, the sharper that two-edged sword.
    1. Re:What I want to know is ... by loraksus · · Score: 3, Insightful

      Because extremely expensive, no bid, just plain dishonest contracts to incompetents is how a great deal of the US government has work done.

      If private sector employees acted like this, they'd be fired for incompetence, the relationship with the incompetent 3rd party would be terminated fairly quickly, pressure would be put on the local district attorney to file fraud and conspiracy criminal charges if there was collusion and a whole lot less money would be spent before it all went away.

      In the case of government employees, it's just status quo. Move alone, nothing to see here.

      --
      1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcfv gbhnjmk,l.;/
    2. Re:What I want to know is ... by ScrewMaster · · Score: 4, Interesting

      True, but that's not what I mean. I'm talking about someone who is already an outsider discovering a problem. That's what this article is about: someone who found something and reported it, and was then attacked for it. This has been going on for some time. Generally speaking, if you find a problem with a corporation or government agency's Internet presence, you're better off keeping it to yourself. That's because odds are the people administering that resource don't really care about security, and are more interested in covering their asses at your expense.

      It's a much better move, careerwise, for a network admin to say "some guy was trying to hack our system, and being the network guru that I am I got his name and number", rather than admit that "some guy found a major hole in our security system, and kindly reported to us."

      There have been numerous cases of Good Samaritan types reporting an insecurity on a Web site, and having the sysadmins call up the FBI and report a "hacking attempt." Over the past several years I've been on misconfigured Web sites and FTP servers that gave me access to things I should never have been allowed to see. My normal instinct would be to report the problem to the site's administrators ... but I wouldn't take the chance, not anymore. I have no interest in having the Feds knock at my door and arrest me on some bogus antiterrorism charge. If I see anything I don't think was meant to be public, I immediately get out and never go back.

      This is not the same thing as being a whistleblower, which is what you're referring to. See, someone who is truly interested in securing a system would investigate such reports, from any source internal or external, and fix them. What we've been seeing is that it's more important to simply squelch such complaints at any cost, rather take the heat for one's mistakes. Worse, given the current legal situation in the U.S. a corporation that files a false hacking report can screw somebody up for life.

      That's where I draw the line.

      --
      The higher the technology, the sharper that two-edged sword.
    3. Re:What I want to know is ... by sumdumass · · Score: 3, Informative

      How do you know they are expensive or dishonest? A no bid contract doesn't imply either automatically.

    4. Re:What I want to know is ... by ardent99 · · Score: 4, Insightful

      Well, yes and no. Yes, the cynical me says lots of government contracts probably do get done this way even though they aren't supposed to. But at least the government has policies and laws that say they aren't supposed to work this way, and I bet the *majority* is still done honestly (I hope).

      But private companies are under no obligation to be fair in who they buy from. There are no laws that say a company must buy from the best, or cheapest, or whatever. They just pick who they feel like working with and that's it. If they want to buy work from their buddy then they do it. That's not fraud or conspiracy or collusion. It's not even secret or embarrassing. That's what business is all about, they just call it "networking" whereas in the government they call it "cronyism".

      Public companies at least have some obligation to shareholders to be fiscally responsible, but for the most part dealing with this kind of issue doesn't get raised to the level of the board of directors unless it dramatically affects the quarterly results, so the management is free to do whatever it wants anyway. CEOs in the private sector are cowboys and apparently as a country we like it that way, evidenced by the fact that so many people these days balk at regulation.

      So, no, this would not be better in the private sector. In fact, it is the status quo in the private sector which is why it is rarely news. It is not status quo in the government, or at least it shouldn't be, which is why we get so upset when it happens there. We expect the government to serve the people, and we want it to. We don't expect the private sector to serve the people we expect it to serve the company owners, and it does.

      The real story here is that cronyism has spread like a cancer into many areas of government, and this item in particular shows how the very forces that are claiming to enhance our national security are actually sabotaging it. The answer isn't to leave it to the private sector and let the cancer win, the answer is to kill the cancer before it kills us.

    5. Re:What I want to know is ... by Hognoxious · · Score: 3, Insightful

      There are no laws that say a company must buy from the best, or cheapest, or whatever.
      It's often stated on this site that corporations (or the managers of them) have a legal duty to maximise shareholder value. Buying the stuff at twice the market price from the CFO's cousin's company doesn't seem to be in compliance with that.
      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  4. Even as we are faced with incident after incident. by riseoftheindividual · · Score: 5, Insightful

    Even as we are faced with incident after incident of our government failing to safeguard information, we do nothing as they collect more of it claiming they can be trusted to safeguard it.

    Real ID is going to be a nightmare.

    --
    Patriot - A fan of expanding government power and spending while not wanting to pay higher taxes.
  5. Re:Like most security theater in this country ... by ScrewMaster · · Score: 4, Funny

    Did they mean "lax" as in "Loose and not easily retained or controlled." or LAX as in the airport?

    Well, I've been through Los Angeles Airport a couple of times recently. I'd say either appellation is apt.

    --
    The higher the technology, the sharper that two-edged sword.
  6. Re:Even as we are faced with incident after incide by ScrewMaster · · Score: 4, Insightful

    Real ID is going to be a nightmare.

    If that's what it takes. Remember the FBI under Hoover? Did all kinds of abusive stuff, until it finally reached the point where Congress had to rein them in and enact strict controls on their behavior, mainly because Congress itself was threatened by Hoover's activities. Hell, the bastard had dirt on all of them. However, many of those restrictions on law enforcement were undone with the Patriot Act, CALEA and other poorly-designed laws designed to strip civil liberties from us. I have the feeling that we're going to have to suffer through yet another cycle of government abuse (worse this time) until the pendulum swings back and some controls get put back in place.

    If we're that lucky. I have my doubts about this go 'round ... we may be in for the long haul.

    --
    The higher the technology, the sharper that two-edged sword.
  7. Summary misses the point entirely by SpinyNorman · · Score: 5, Informative

    The poetic justice is not that Soghoian (who exposed the vulnerability) was investigated by the FBI and TSA, but rather the exact opposite, that having been investigated by the FBI/TSA he was vindicated by the scathing congressional report agreeing with him. At least that's an accurate summary, although still a bit illogical since the FBI investigation was for a different issue altogether - him blogging about how to create fake boarding passes which doesn't seem the smartest thing to do if you are really concerned about security.

  8. ..."no charges were ever filed." by iminplaya · · Score: 3, Interesting

    Yet. Doesn't mean they can't be some time in the future. And this investigation...or scathing congressional report? What will come of it? Will fines be paid? Jail time served? I've seen very little come from "scathing congressional reports" in the past. Will this one be any different? I would think not. Will any of this bring about a demand for freedom of movement without undue harassment? Will we finally vote for politicians who mention the word "freedom" at all? All the numbers indicate otherwise.

    Nixon's the one.

    --
    What?
  9. TSA = Toothpaste Security Agency by Anonymous Coward · · Score: 4, Insightful

    Why did the terrorists succeed on September 11, 2001? Conventional wisdom says the terrorists exploited a weakness in airport security by smuggling aboard box-cutters. What they actually exploited was a weakness in our mindset -- Crews were for years trained in the concept of "passive resistance." Everyone acted calm, and the crisis resolved with no loss of life. All of that changed when the first plane hit the north tower. What weapons the 19 men possessed mattered little, but it would never work again: Anyone pulling out a box cuter today would be dragged down by passengers.

    Yet today the DHS and TSA are still focused on the box cuters. Patrick Smith of the New York Times points out just how pointless the TSA searches have become. Why for example do they confiscate tubes of toothpaste or shampoo bottles potentially containing explosive materials, only to throw them out in the trash unchecked? Why do cleaners and garbage workers handle these supposedly dangerous contraband unprotected? The ban on fluids itself flies in the face of scientific opinion: "The notion that deadly explosives can be cooked up in an airplane lavatory is pure fiction."

    http://jetlagged.blogs.nytimes.com/2007/12/28/the-airport-security-follies/index.html

  10. Re:Even as we are faced with incident after incide by ScrewMaster · · Score: 4, Insightful

    I think you *precisely* correct in referring to the whole system as a pendulum.

    As an engineer, upon further reflection I think that a more apt description would be "running open loop". If you look at the U.S. Constitution, you'll realize that the so-called "checks-and-balances" put in place by the Founders, indeed the underpinnings of our entire Republic, are nothing but a series of carefully crafted negative feedback loops. The intent of those mechanisms was, of course, to prevent the government from going too far in one direction. The most basic of those is the fact that we can elect our leaders: the governments actions are processed by the population and fed back to the input as votes. Another loop was the original tariff system. It is complicated, but it worked for a long, long time, and had our elected leaders not fiddled with it continuously, would still be working now.

    The problem is that Congress, with its fundamental incompetence and endless quest for votes, has opened most of those loops and the proper amount of negative feedback is no longer being applied to the system inputs. In fact, there's generally no negative feedback whatsoever: it's all going the other way. That's placed us in a swell of uncontrolled positive feedback which will eventually reach the maximum tolerance of the system.

    In electronic terms, that usually means your output is locked to within a few millivolts of your positive supply voltage. In civil terms, it means a revolution is about to start.

    --
    The higher the technology, the sharper that two-edged sword.
  11. representatives by nguy · · Score: 3, Insightful

    Complain to your elected representatives with a short, politely worded letter. That's the most likely to get these practices stopped.