Slashdot Mirror
"Clear" Air-Travel Pass Data Stolen From SFO
Kozar_The_Malignant writes "A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised."
To have a company intimately involved with *security* not apparently able to manage their own security in a manner that protects the country and their customers is a joke. Fine... having a laptop stolen is common enough and I don't fault them, but having unencrypted data of 33,000 of your customers on that laptop is a crime.
I never liked the idea of handing over private information in the security theatre that our nation has become, but events like this where private companies motivated by the lowest common denominator really get under ones skin. Why the data was stored in unencrypted formats is inexcusable. I don't know what the penalty should be for something like this, but it should be commensurate with the potential damage it could cause.
The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently. When the government then has to police these private companies like the TSA is apparently having to now do, the concept is made moot. So.... our options are to continue to live the security theatre with private companies like this or turn the job back over to the government (who's job it to ensure safety of travel and should not have been in the business of verifying identity for air travel anyway).
Or... we could go back to the way things were when I could carry pocket knives on planes. (I also remember when you could carry long guns on planes back in the late 80's/early 90's.)
Visit Jonesblog and say hello.
The company has now decided that it might be a good idea to encrypt the data in their systems.
Then they've clearly hired the wrong people for the job. But since when is news like this anything new?
HAH!
If you have customer (or business!) data on a laptop, there is really no reason at all to not have full disk encryption on it. Laptops are stolen all of the time and this is the sort of publicity your company does not need.
I read the internet for the articles.
Before they require hardware based encryption for drives containing this sort of data? It seems completely ridiculous to me that they would keep sensitive data like this on an unencrypted drive.
One word of this: Incompetent.
Prediction: The real iPhone killer is going to be sex robots from Japan. Think about it.
"The company has now decided that it might be a good idea to encrypt the data in their systems"
because apparently before locked doors was good enough
You've got social security numbers of thousands of people on company laptops and you didn't make it a policy to encrypt everything?
Seriously?
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
From the "Clear" link: "Clear's first year price is $128."
I'd say that's a bargain to have your identity stolen!
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Who am I kidding. No, it won't.
... especially since at my workplace, they are starting to think about encryption laptop hard drives, that contain personal information about government related investigations related to people working without permits and that kind of deal.
The thing is, though, they're only encrypting the new tablet PCs we just bought, not the older Thinkpads we used - And the database is imported from the web, which means the unencrypted laptops contain the same data the encrypted ones do...
I have a feeling we'll see even more of these in the near future.
The CIO of this company and everyone involved in the IT policy with regard to security should be in jail forever. There is absolutely no excuse for this at all. SS and Passport information? This can cause headaches that never end for the poor victims.
Just further proof that this Administration only cares to ruin lives.
All aboard the FailPlane!
With Pic!
A laptop containing the unencrypted -
NEXT!!!
Assuming this system allows them to reliably identify a person, so what? Do they do extensive background checks and continuous monitoring to ensure that the people aren't involved in terrorism? Or if I have no obvious problems in my background and enough money to pay for it, can I get treated differently too?
Does it basically come down to people paying to not have to stand in line with the rest of humanity at the airport?
So it's the same price as mobileMe, and it provides users with the same level of frustration. Who says government contractors can't compete?
Please tell me that there is going to either be prison time or a huge *personal* fine for the CEO of the tinpot company who thought that a lock and key was enough security. I'n not talking about firing the person who left it there or proped the door open to do the vacuuming, but the person at the top who says "Yes, this is cost effective and proper." We need to have people at board level think twice about storing our data so shockingly badly.
I'm becoming quite skeptical about this whole 'stolen laptop' B.S. After the first few big news stories, I'd expect most corporations to have strict guidelines in place to prevent this sort of thing. And a policy of coming down hard, very hard, on violators.
I wonder how much one can get per personnal record for selling this sort of data to organized crime. And cover your ass by reporting a stolen laptop.
Have gnu, will travel.
This might be the best summery I have seen in some time. It has far more usefull informtaion than the linked news story. I want to personally thank the poster for that and suggest we could use a 'goodsummery' tag to balance the 'badsummery' tag that we so often see.
Ascii artist &
I was just thinking earlier today of signing up for that. I do a lot of travel and thought the cost might be worth it to cut down on wait time. Guess not.
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
He got the contract and I bet he is paid really well. Why would he do more?
Names, SSi number, date of birth .. we need to stop using all of these as ID right now.
My suggestion is this. At some appropriate age, say 16-18 where most countries seem to issue ID, we each choose and commit to memory a graph G, such that the chance of a collision in all earth population is close to zero. Then whenever we need to prove our ID for air-travel or whatever we just need to go though several rounds of identify proof where we generate an isomorphic graph H, and show EITHER isomorphism between H and G, or a Hamiltonian cycle in H. After a sufficient number of rounds your identity would be certain to the required probability and you could be on your way.
The technique to do this mentally could be taught in schools. It's THAT SIMPLE!
Dude, it's called "Clear" for a reason.
I think the only thing saving the IRS is that operates with COBOL software and nine-track tape and not many hackers can do those these days.
I forgot the exact country, but one of the major western European countries had a significant chunk of taxpayer ids stolen last year.
Well, somebody better start suing. That's what I hate about all these companies and government agencies that have access to all our private information. They are giving out our private information for free and the only thing that they do to help or protect us is giving away free credit monitoring for a year or 2 instead of a person life time.
What was that info doing on a laptop? That in itself is very suspicious. Nobody should have a full list of the "approved people" outside of an database where each access is logged. That's info a terrorist group would want. It gives them a list of people who won't be searched. Those are the ones to exploit to get something past security.
The laptop disappeared from a locked room at an airport. This wasn't an ordinary laptop theft. TSA has to assume that the database is now in hostile hands. So now everyone with a "Clear" card should be subjected to extra searches.
Let's check out the "Clear" privacy policy. "Clear and its subcontractors, pursuant to legal agreements, have a comprehensive information security program to ensure the privacy of Clear applicants and members as well as the integrity of our systems. We apply ID's and passwords to insure that access to systems and data is only on a need-to-know basis. We use encryption (a strong data coding process) for all program sensitive data communications." ... "In the highly unlikely event that a member is the victim of identity theft (defined as the taking of a member's personal information so that fraudulent transactions are made in the member's name) that is the result of any unauthorized dissemination by Clear or its subcontractors, or theft from Clear or its subcontractors, of the member's personal data collected by Clear, we will reimburse the member for any otherwise unreimbursable monetary costs directly resulting from such Identity Theft. In addition, Clear will, at its own expense, offer any such member assistance in restoring the integrity of the member's financial or other accounts." ... "Clear has appointed an independent, outside Privacy Ombudsman, Law Professor Paul Schwartz, noted privacy expert and advocate. He will be identified to members as the person to contact if a member has a privacy complaint or privacy problem with administration of the Clear system or fidelity to our published Privacy Policies. The Independent Privacy Ombudsman is empowered to investigate all privacy complaints, gather the facts, and respond to members, as well as to post responses publicly and prominently on our website."
Yet there's no announcement of the security breach on the Clear web site.
Their privacy policy is an interesting read
http://www.flyclear.com/privacy_fairinfo.html#idtheft
Our company was being audited for security, and the auditors lost their papers with information on logins, etc. As a result, we had to change all of our passwords.
Why do these fucktards always seem to decide that it's a good idea to encrypt their data after a laptop, computer, hard disk or tape backup containing the personal information of hundreds of thousands of people gets lost? There need to be more legal penalties for these companies' shoddy IT practices! Perhaps a CEO/CTO should do some jail time to drive the point home...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Concise, well written.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
The company has now decided that it might be a good idea to encrypt the data in their systems.
NOW? They're NOW deciding that it might be a good idea to encrypt the data? Ok, I don't work in the industry and all but even I, as an uneducated outsider, knows that it's a good idea to encrypt that sort of data. Jebus... That should have been one of the first priorities in developing their systems and procedures...
See page 32.
I don't understand why data like this was on a laptop in the first place. Encrypted or not, it seems problematic to have copies of databases floating around, flying with executives, packaged up neatly in a form that makes it easy to steal (i.e., a freakin' laptop).
What am I missing that I don't get why this database was allowed off the core server that hosts it? Simply from a data integrity standpoint it seems like a bad idea to let multiple copies move around.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
This whole thing stinks anyway. That pass is BS and nothing more than a scheme cooked up to get people through airports faster and easethe load on the TSA people. It is TOTALLY a compromise in airline security allowed by means of a $100 bill. Yes, encryption is a good idea, just like breathing is a good idea.
If I wanted my mind made up for me, I'd do it myself!!
I guess my question is....
Could a terrorist organization exploit this information to be able to get someone on a plane who wouldn't have been able to before? A fake passport/drivers license in the name of a trusted passenger who knows all the personal information he should. In any kind of rational security process, each and every one of the CLEAR passengers would now be on the TSA Watchlist, subject to extra scrutiny.
Talk about blowback! Talk about (Alanis Morissette be damned) irony! An intrusive system designed to help trusted passengers bypass an intrusive search for terrorists, allows those same terrorists to bypass the search.
And the worms ate into his brain.
Comment removed based on user account deletion
393-43-5435
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Blame capitalism!
That shit never worked, man.
Having worked the contractor side of Identity projects, I promise you the story as provided in the summary is the working norm.
Unsecured computers in the field with live identity information? Check.
Multiple copies of identity information floating around? Check.
Many **totally** unaware employees in the field with private data? Check.
Many **totally** unaware employees at the contractor's office passing private data? Check.
It boggles my mind anyone would believe it's better than that. The contractor suffers no consequences and the burden falls on the individual.
Which, is why the rules, regs, and standards for handling private information is ***perfectly*** designed in the U.S. Not that any of you would get off your collective asses and do anything to change it.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Collaborators with the enemy get what they deserve.
You can NOT make this shit up.
I wouldn't be fired if this happened to my laptop. I would be charged, sued, and ostracized, and find a new line of work. Probably with the phrase 'biggie-size' involved.
Almost as ludicrous as electonic voting...
deleting the extra space after periods so i can stay relevant, yeah.
The annual fee is $100. You only pay 128 the first year. If you really went to the Clear website...you wouldve read that.
Oh, really? Once again, from the Clear website:
How much does it cost to become a Clear member?
Clear is available for $100 plus a $28 TSA vetting fee, for a total of $128 per year. Lock in these prices by purchasing a two-year membership for $256 or a three-year membership for $384.
You will also provide a credit card number, but you will not be charged the annual fee of $128 until you are approved for membership.
Looks like $128 to me.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Important Notice
We are currently updating our software and are unable to process enrollments at this time. Click here to enter your email address so we can notify you once enrollment is available.
Clearly this is simply just a Java SDK upgrade or something.... :P
Like the sysadmin really had a say in this. He probably asked for that a thousand times.
It will be interesting to see the fallout from this episode of "Security Theatre".
This must be sarcasm... I guess...
That 'summery' was the only place I saw any reference to 'SSi number' being compromised. I saw one report on tv that specifically said that social security numbers were not on the pc. And here is another reference that says the same thing: http://www.ktvu.com/news/17098410/detail.html
Why was the data of 33.000 individuals recklessly carried around on a laptop at the airport? Internet and encryption, have they heard about it?
So CorpTards(tm) where's all your blather about businesses being able to run things more efficiently/securely than government.
Corps can often do things cheaper, but that's because they usually cut corners to save on costs. Just take that from someone who has worked for them and knows what they're like.
(Anonymous Coward is one of the foremost experts on corporate culture)
Mod parent up, this paper is relevant and is pretty good.
With any luck, the DHS will find it.
~
I think you are mistaking the job titles of "System Administrator" and "Someone Who Has More Than A Passing Chance Of Affecting Change In Policy"
OMG! The only, ONLY appropriate response is to temporarily shut down the program, fire the contractor, ban them from future work on this, put it out for bid again and start over.
This is from Clear customer support: consider the source and apply the appropriate amount of salt.
The only personal information that was compromised was for people who were in the midst of the application process. If you are already enrolled and have received your card, your personal info was not in the laptop that was stolen.
At this point, Clear is not planning to notify existing members that their personal info was not stolen. However, I strongly suggested that they rethink that policy, and notify all members of the extent of the breach. The news story quoted in this article doesn't make the distinction between pending applications and enrolled members.
Please tell me that there is going to either be prison time
No way. What's the crime? You clearly fail to comprehend that failure falls on the individual's shoulders. It's that way by design and it works great for everyone except the individual.
huge *personal* fine
What's the crime? Clearly you have *no idea* what role corporations play in sheilding liabilities.
firing the person who left it there
No one is getting fired. No one is getting a bad review. There are no consequences. Some dust will fly, but that's dying down by the end of the week.
"Yes, this is cost effective and proper.
Storing the data on a laptop that requires a username and password to get to the desktop is cost effective an proper. There. Does that make you feel better?
We need to have people at board level think twice about storing our data so shockingly badly.
Who's going to be in charge of that? You certainly won't do anything about it beyond your post. So the system works great.
When are you and the idiots modding you insightful wake up?
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
$50 says that they'll keep the key to the encrypted data on a post-it attached to the computer, or use "password" as the password, or have a file on the desktop called "key to encrypted data".
-- I prefer the term "karma escort."
Not to worry, all sensitive information was encoded in pig Latin.
I don't understand why there aren't penalties for this sort of thing. The way I see it this qualifies as criminal negligence because the ramifications for an individual of having their identity stolen can be severe.
If lose of personal data is somehow attributable to negligence on the part of the company, in this case the lack of encryption and maybe not securing the laptop properly, the company should be penalized. The most obvious would be a fine; lets say $10,000 for each account.
My bank, or companies they do business with have managed to lose a significant amount of customer information, not once, but twice in the past year. They mailed out notices and provided customers with some bullshit free access to credit monitoring for 12 months, later extending it to 18 or 24 months. And that's that, it's out of their hands.
But then what the hell do politicians care? With financial institutions like Countrywide giving out extra-low interest rate VIP loans to congressmen they have no incentive whatsoever to look out for our best interest.
ORLY?
There's are certification programs known as Privacy Act Registration and HSPD-12 which are part of the DIACAP process which REQUIRE hardware encryption of the full disk. DoD systems all have to meet these and it's a big deal if it turns out you tried to speed on meeting these requirements. Clearly, the TSA feels it's too good for it's own policies.
I expect the required rules for security of the data were likely in place and applicable to most employees. It would take a special kind of stupid to not have some security rules.
But those rules seldom are applied to upper echelon management who can simply say they want data X in a readable format (probably an Excel spreadsheet) put on that laptop for their trip etc. The higher you are in an organization it seems the less likely you are to think the rules apply to *you*.
Either that or this "theft" is a convenient way to explain how the data got into the hands of a commercial enterprise that purchased the data via a bribe on the side.
In any case, the CEO's of the company all the way down to the employee who lost the data should all be fined and given jail time. I know that won't happen, but it is what should happen.
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
s/Affecting/Effecting/ thank you :)
Where do I sign up so that I too can pay $100 to have my identity stolen?
Nelson Muntz, "Hah hah."
No sig for you. YOU GET NO SIG!
See, this is exactly why I gave them a fake name, address, and SSN when I enrolled in CLEAR.
Let's put a nail in it -- names, addresses, SSN -- these are no longer valid for signing up for credit, new accounts, anything. Let's get it over with and publish everyone's at the same time but let's start with the politicians.
Imagine how fast new laws would be created protecting data if every member (and their families) of Congress and Senate had their personal info posted.
fucked up.
What a surprise.
Privatization of government work is costing us far more then if the government agencies did this work.
The Kruger Dunning explains most post on
Just add all those names to the no-fly list.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Good thing terrorists can't afford a $100 pass to bypass security.
You can't specify enough objective criteria to keep a low ball bidder from cutting quality to meet an overly low bid. Best to define a budget and put someone in charge of getting the job done and let them run the show. One throat to choke with a decent budget will typically achieve actual results.
Comment removed based on user account deletion
I'm not surprised this happened...well, maybe I'm surprised that a security company would leave that kind of data on a laptop.
Fact is, this happens everywhere and it's going to get harder to manage. Unless you start taking people's laptops and even their desktop PCs away from them, you'll never stop it. Add to that the fact that you can get 16 GB flash drives and 80 GB iPods. The only ways to stop this are to (a) encrypt data, or (b) take users' toys away. Neither happens without a huge fight.
Encrypting laptops is a really big challenge. If you let users do it themselves (using vendor software, Windows EFS or others,) then they hold all the encryption keys and could make it impossible for you to get the data back in the event they get fired or quit. Implementing enterprise encryption is another road, but has its own set of problems. You have to have a full-time admin to keep the public key infrastructure up, revoke and reissue certs, etc. You also need to spend a large sum of money -- RSA and others make huge bucks every year selling enterprise-level disk encryption software. This is a very hard fight to win until something bad like this happens. And even if you get the software purchased, convincing the execs that you also need someone to look after it is tough.
Plus, you cannot stop a developer from taking the customer database home on a 1 TB disk drive to write/test software against. Unless you're disciplined enough to scrub any dev data of any customer information, it will be used. Even if you tell them they're fired if they take home data, being fired isn't the permanent black mark it used to be. Not everyone's a professional.
So, either completely limit access to data, or take toys away. Everything else is just a band-aid. I odn't mean to sound defeatist, but unless you give employees some incentive to protect customer privacy, they won't do it. Security is a major pain in the butt...even I think so. The key is to make security "not a pain."
It's possible that is an "inside job", rather than an opportunistic theft. I mean, the laptop could have been "stolen to order". Identity criminals are getting more organised. Who knows what other data was on that laptop, given that it was being used by a security professional.
Looks like someone used the same trick as the PFY, just three years later.
Everybody assumes that this data would go to criminals for use in ID theft mischief. What if terrorists used it to program their own Smart cards in order to "speed through airport security"?
You expect commercial interests to do dumb stuff like this out of greed or incompetence. Accordingly, the fact that TSA/DHS didn't certify this company's procedures tells you something about their competence/security.
The product name is "Clear" so why would anyone buying the product expects any level of obfuscation?
Unfortunately there's not a mouthpiece for a giant multibillion dollar industry available to sue people who "make available" personal information.
Nor are their investigators roaming the internet making warrantless searches for offenders.
Nor are there lobbyists sending Congressmen on junkets to ensure that maximally favorable and punitive laws are passed.
And when the government serves up your personal information, even through a contractor, you usually can't sue anyone, and if you do, it takes most of a decade. And you definitely can't bully the government for a settlement.
As usual, it sucks to be a plain old citizen.
s/Affecting/Effecting/
thank you :)
Effecting isn't a word.
More importantly, why is sensitive data *stored* on the laptop at all? Should it not be kept only on a secure server, and then only accessible across a secure encrypted VPN connection on an as-needed basis? With today's storage technology, yes you could store personal and sensitive information on every man, woman, and child in the US on your laptop, but what knucklehead would even consider this a "good idea"?
Homeland Insecurity -- making us all more insecure with each passing day. Let's get rid of them.
Ruby Neural Evolution of Augmenting Topologies
Nice society you're building there.
Is that considered normal in the US? Because it's contradictory to civilised principles elsewhere.
you had me at #!
I'm not sure which is more commonly stolen now, laptops or purses. But most thieves won't *break into* your car to steal a purse.
Laptops can be and are stolen whenever they're out of sight of the owner. I don't know why it is that people don't get this.
Just like the VIPs in hollywood, the people involved in this program now have public lives.
Now perhaps a few more people will understand why we fought so hard to ensure that New Hampshire will not participate in the Real-ID system, or any de facto national ID card that may follow.
Part of the Second American Revolution!
We now see the real reasoning behind the TSA. To charge extra for a service that really we don't need.
I am Bennett Haselton! I am Bennett Haselton!
I think they hired Homer Simpson for yet another job requiring competence, diligence and a fanatical devotion to the Pope. When will they ever learn!
..that something similar happened, and yet again these companies get off with a "my bad" letter.
Comment removed based on user account deletion
Yes it is, o non compos mentis.
Only his tendency toward a dazed stupor prevented him from screaming aloud.
I enrolled in the Clear program back in March. My reasons were very specific: I got tired of fighting long security lines at the airport, and since I work away from home and travel back and forth a lot, the convenience of this system is more than worth the $100.
I work in DC, and live in Jacksonville, FL, and I normally travel back to the District on Monday mornings. i was stunned to see how long the security lines were at Jax International, even at 6:15 in the morning, and with a full slate of TSA scanners and personnel on the job.
There is nothing like being able to walk past a line of three or four hundred flyers, skip right to the head of the line and be at the gate with enough time to hit the head and grab a coffee. I have zero stress when flying now.
That being said, I'm certainly upset about the laptop theft, and the "inside job" theories might have some truth to them, considering this was supposed to be in a locked office. I don't necessarily buy the "stolen to order' conspiracies, but it is worrisome. I'll continue to do what I always have - monitor all my accounts, credit reports, etc. and hope this gets solved in a quick and reasonable fashion.
As for the necessity to hand over a lot of private information, let me explain what the procedure is:
When you apply for a Clear card on line, you provide the same information, initially, that would would ordering a product: name, address, phone, and a credit card for the screening fee only ($28 which goes to the TSA). Part of the on-line application process is providing your SSN. In this care, it's a necessary evil, since Clear has to access information only you would know. I would assume they're getting this off credit reports or public records. You answer three or four questions, and if the answers are satisfactory, you move on to the next step. You print out a document with a registration number.
That step requires an appearance, in person, at the local airport with the Clear service counters. They check your registration, and you have to provide two forms of identification. One can be any government-issued picture ID. The other, however, must be a government-issued birth certificate or a valid passport. I tried to use a birth certificate issued by the hospital where I was born in 1955, but they refused to accept it. This required me to order a new BC from the state where I lived, and finsish the process another day.
Once that's finished, you stand at a kiosk and have all your fingerprints and one iris scanned. They save two or three of the fingerprints and the iris, and the data from both are eventually encoded into the chip on the smart card they issue you.
The wait for the card can be nearly a month.
As protective as I am of my privacy, I really didn't have a lot of issues with what I had to do to get this. I am an IT contractor and former federal employee, and I have a high security clearance. I had to give up a lot more during that investigation, including having family, friends and neighbors interviewed about my character. Since this is a requirement of the job, I have nothing in my past to hide, and it means a much higher salary, I'm not going to raise too much of a stink.
Clear, on the other hand, didn't get anything from me that isn't easily available (or steal-able) to anyone with a few dollars and a couple of private detectives on the Rolodex. Go to one of these "free credit report" sites and request to see what's on that thing. You have to answer some of those questions I mentioned before, and what they have is pretty interesting, and deep.
I'd be lying if I said this laptop theft doesn't worry me. I have the feeling that the idiot who stole it probably won't even look on the damn thing, and it will turn up, drive slicked, in some pawn shop.
In the meantime, I'll keep a close eye on everything sensitive (I get lots of practice at work).
And I'll still be jumping the line at the airport.
Joe Dougherty, Florida, USA
The words I thought I brought, I left behind. So, never mind.
idiot
Yes it is, o non compos mentis.
No it's not.
Nice Latin by the way. :-)
So reports the SF Chronicle in an article from the AP:
(08-05) 11:59 PDT San Francisco, CA (AP) --
The company that runs an airport security prescreening program says they've found a laptop containing the personal information of 33,000 people more than a week after it apparently went missing.
...
They found the missing laptop in the room where it was supposed to be:
http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2008/08/05/financial/f102608D05.DTL&tsp=1
Does jim varney being dead affect it in any way?
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
Customer data on a laptop in a locked room is kind of odd. The fact it (or one that looks like it) was recovered IN THE SAME room a week later is even more suspicious. When you combine what the TSA just decided to do last month you wonder what is its future?
http://www.tsa.gov/press/releases/2008/0724.shtm
If the TSA is no longer doing background checks it no longer really has any security value. Then you really don't need to collect that much information about someone because it basically becomes a "skip to the front of the line" card with maybe some discounts at airport shops. You don't need that much data, you don't need the biometrics thing because it doesn't really matter who has one. It becomes little more than your frequent shopper card at your local grocery store.
Don't believe me? This is what one of Clear's competitors is resorting to:
http://www.secureidnews.com/2008/08/04/redskin-fans-can-flo-into-stadium
Thanks, but it truly is a word. Check the dictionary.
Only his tendency toward a dazed stupor prevented him from screaming aloud.
It's not just Vermont, you liberty lover.
Oklahoma and a few other states are against it too.
It was found in the same office that it was left in.
The only reasonable thing that they did after 9/11 was lock the cockpit doors. Everything else is BS designed to make you think that they're doing something useful.
1) Setup a web app using php and mysql
2) Use SSL cert
3) Have server hosting this data in a secured data center
You can run reports and grab data when needed, and even export data to an excel spreadsheet using the MySQL GUI tool if you don't want to code the export in php.
...kill more people every year than a couple of crached planes. If the same amount of funding and resources went into preventing drunk driving we would all be a whole lot happier (and probably healthier because no one we be able to drive anywhere...)
Look at the state of fear people live in now. Terrorists don't have to crash planes into buildings anymore. They have already won by subverting the government propaganda machine into cultivating an environment of terror.
the above is my personal opinion and does not necessarily reflect that of the little voices in my head
SAN FRANCISCO (AP) â" The company that runs an airport security prescreening program said Tuesday they've found a laptop containing the personal information of 33,000 people more than a week after it apparently went missing.
The Transportation Security Administration suspended new enrollments to the program, known as Clear, after the unencrypted computer was reported stolen.
Officials with Verified Identity Pass, which operates the Clear program, said the laptop was found Tuesday morning in the same office where it supposedly had gone missing.
The program allows passengers to pay to use special "fast lanes" to avoid long lines at airport security checkpoints. The laptop contained the personal information of applicants to the program.
Thanks, but it truly is a word. Check the dictionary.
Woohoo, grammar wars!
If you're going to prove me wrong you could at least link to the proper page. :-)
I was under the impression that Sarbanes Oxley would take care of this. If you are doing something you should not be doing according to your guidelines and policies, the CEO/CFO go to jail.
This is true if you mislead your investors, apparently not if you mess with your customers.
I see no difference...
Load New Commander (Y/N)?
http://www.cbc.ca/cp/Oddities/080805/K080506AU.html
"U.S. company finds missing laptop with security applicants' data
SAN FRANCISCO - The company that runs an airport security prescreening program in the United States say it has found a laptop containing the personal information of 33,000 people more than a week after it apparently went missing."
Like i've said before, technology isn't going to solve our airport problems, we need people power that are well trained, happy to do the job and have an incentive to keep the job.
Once again the weak link aren't the people doing the work, but the people who think up the way to do the work.
Airline tickets to North Carolina: $432
Towncar service to air port: $86
Clear system access to speed up airport process: $100
Getting your information stolen and ready for identity thieves: Priceless
My abilities are only limited by my imagination
There should be a law that says all personal data on any media including hard drives must be encrypted to military grade at all times.
Just having persistently-stored unencrypted personal data should be a crime, and anyone that looses personal data should have to pay significant damages to each of the people identified by the data.
In the US, the SSN is essentially a national ID. It wasn't intended to be. What happened? In a modern society, you need a universal means of identification. The SSN is the only nation wide number that almost every adult has. It became the national ID by default.
By not recognizing this, we continue to leave it insecure. There should be an additional password associated with your SSN. That password would be in a secure national database, and it would be unlawful for a commercial entity to store that password on a computer. They would only be able to verify that the SSN and password match by accessing the national database.
Illegal aliens would not be able to get a job with my SSN, and identity thieves would not be able to get a credit card with my name and SSN. If I suspected anything, I could change my password.
Unfortunately, if you mention a national database, some people go crazy.
According to a radio burb I heard about 15 mins ago the laptop has been located. They also mentioned that it had acually been missing for a week. Strange we only heard about it just before they located it.
I Need someone to rebuild a Digitech Digital Delay pedal for me....for me...for me...for me.
Guess this GE owned bussiness is getting lax about securing laptops compaired to the other GEs my associates have contracted at. GE Corp and several GE divisions no longer issue unencrypted and force install a product called SAFEBOOT that does 256 bit encryption to almost all of the volume. This reqires a passord at startup to load the OS. Unfortunatly if they have stolen a unlocked active laptop with safeboot its a 99% likelyhood that the startup password matches one of the other passwords in the PHB cache. GE aquires bussinesses every day of the week and it is quite a process to intergrate bussinesses into the fold but there is no excuese for any laptop to walk out of the build room that is not at least volume encrypted. Any company licened or built program requiring a local database need be rebuilt in a seriose way. GE has literly 10k plus Citrix/Remote Desktop servers just to support their moblie workforce and has deployed and had a 1/1 ratio of VPN users and RSA hardtokens to laptop users.... at least i AM TOLD. Shame on the program manganger, the IT manager that let unencrypted data be stored localy, shame on the CIO and shame on the CEO for not taking the last 6 years of articles in the WSJ seriously.
I'm a programmer for a company with thousands and thousands of customers and their SSNs. If I could set the policy, our customers SSNs would be protected too. Unfortunately, I can't, and they're not.
In most companies, understanding security and pushing for improvements brands you as a tinfoil-hat nutjob. About the best you can do is set up the email and paper trail so that when the CEO or HR director loses their laptop, they stand absolutely zero chance of being able to point a finger at you or claim it was anybody's fault but their own.
The flip side is: Don't EVER give your SSN to a private company. They will not protect it.
I have a feeling everyone on the plane would fight it.
You have a feeling? This was proven an hour and twenty minutes after the first plane hit the Twin Towers, by ordinary Americans correctly assessing the security situation over a field in Shanksville, PA.
Then we hardened the cockpit doors to make double-sure. Everything since then has been a distraction.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
"The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently."
which never pans out.
We pay for failure. What do you expect?
I suspect if we only paid for working product, with payment upon delivery/agreed validation, government contractors would get alot better. Or, rather, only the good ones would survive. Yes, part of that is having a better specification process.
Right now to be a government contractor the primary qualification is having a large team of lawyers and accountants.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Like the sysadmin really had a say in this. He probably asked for that a thousand times.
Any competent, ethical, sysadmin in this position would have quit in protest, making very large noises about why he was doing so, especially pointing out the real risk to American lives (allowing the premise of the system for the sake of argument) and then blowing the whistle.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
And the ironic thing is he is probably going to be the one blamed for the leak!
Many here are complaining of incompetence in the TSA and other government agencies.
Let me express my affinity with Sam Clemens, Thomas Jefferson and many others when I say: I prefer them this way and so should you. You have no idea how abhorrent the government could be with the trillions of dollars at their disposal. Let us pray they don't become more effective. Please?
Help stamp out iliturcy.
CNET is saying the laptop wasn't stolen: http://news.cnet.com/8301-1009_3-10008094-83.html?part=rss&subj=news&tag=2547-1_3-0-5
It was just misplaced...
rewriting history since 2109
> This is slashdot, not digg, and I hope that we have the capability to hold discourse to a higher standard.
Ymbnh.
What a depressingly stupid machine.
is par for the course. I wouldn't be surprised if there was a thief, who put it back in the office after copying the data and making a few little additions. . . e.g. adding the entire membership of al-Queda to the list of people who get fast-tracked through security.
Tech Public Policy stuff
It concerns me that credit card numbers and social security numbers are these all-important pieces of "your identity" that must be carefully safeguarded at all costs. Nobody can know! Except all those entities that ask for then. Like these 'Clear' guys. And exactly 9,267 waiters.
Proof of identity that is equivalent to the identity itself, in entirety, hmmm? Why can any number of people impersonate you, but are trusted not to? Why can your identity be "stolen" from a third party?
I cry for the day when society at large discovers what the sweet loving fuck a private key is, and perhaps even a respectable comprehension of what defines "secure." Security is not so just because your government and the man in the uniform assures you that things are _better_ now, or even simply that the status quo is _perfectly fine_. It's a small subset of your typical Americans (in my experience) that when presented with the latest breakthrough in airport security, have a response beginning with "Couldn't they still just..."
Most are sheep. And a lot of the smarter ones still feel just a teensy bit better.
It doesn't take a hacker's mindset to poke holes in the elaborate security handwavings presented day to day. Do they not care?
Identity is a funny thing here. People are scared shitless of a big brother style national ID card, but line up for state drivers licenses, of which fakes are made plentiful to satisfy the desires of even the most low budgeted of teenagers. Supposedly the government knows you exist if you have a birth certificate. SSN supposedly optional, but I'd love to see someone try. But the government as well as everything private seems to forget who you are from building to building - each asking you again for that same basic info. In practice most things are just as anonymous as they are online. Go ahead, lie about whatever you want. See if they notice. I'm Nat Tellin half the time.
Think for a moment about how you would create a 'new' identity. How terribly possible it is to simply disappear, and pop up again somewhere else as a new person. Bonus points for looking totally benign under scrutiny - perhaps you 'immigrated' from Canada using some thin mask of false credential. Just as long as you keep telling the same lies to all the right people, really. At what point have you succeeded? Genuine but falsified photo id? SSN? Credit history?
All that defines you is ability to provide a series of opaque alphanumeric values that you freely give to most anyone, but are next to impossible to verify.
"Strangers have the best candy" -Me
Do not question the fundamental issue that this is morally wrong and you are being slowly squeezed into a little cage, without resisting us. Instead, we promise we won't do it again. Oops, heh, sorry!
When the physical security of airline passengers is at stake, wouldn't it be a good idea to have a Plan B that gives an agency the option to destroy data if a breach is suspected? If that laptop hadn't turned up, or in the case that the laptop was stolen, breached and returned, the data contained within could make it easier for dangerous people to travel undetected. This puts anyone who travels by plane at risk. Even full-disk encryption isn't a failsafe. The option to remotely destroy data seems like a reasonable one when it comes to people's lives. http://pcsecurityblog.beachheadsolutions.com/2008/08/06/tsa-fails-to-secure-trusted-traveler-data/
From your own second link: "There is a verb "to effect". It is quite rare, but useful in business writing. It means "to bring into being."". The flow of the sentence obviously indicates that the idea is to bring changes of policy into being. Thus, effect would be the appropriate verb for the situation.
"Someone Who Has More Than A Passing Chance Of Effecting Change In Policy"