"S" Is For "Simpleton"!
And all along, there you were thinking it was the Transportation Security Agency, huh?
Another bright moment in Homeland Identity Theft, uh...Security Theater...pops up via Consumerist, with this Ryan Paul Ars Technica post about security flaws in the TSA's "traveler redress website." (That's where all the little blond 5-year-olds thought to be dangerous Saudi Arabian terrorists have to write to get their names off the get your cheeks spread before flying list.)
The site—which enables travelers to seek removal from airline watch lists by providing personal identification information—operated for four months before the vulnerabilities were detected.The web site was hosted on a commercial domain by a contractor and did not use SSL encryption for submission forms that transmit sensitive identification information. The few pages of the site that did use SSL used an expired certificate that had been self-signed by the contractor. The lack of proper encryption was brought to the attention of TSA last year by security researcher Chris Soghoian, who noted that such "major incompetence" could have been avoided by basic oversight.
"At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a web site that violated basic operating standards of web security and failed to protect travelers' sensitive personal information," says the report summary. "These deficiencies exposed thousands of American travelers to potential identity theft."
According to the report, the TSA was completely unaware of the security issues while the site was in operation. During that time, thousands of travelers submitted personal information through the website and a TSA administrator claimed in congressional testimony that the agency had assured "the privacy of users and the security of the system."
Yes, it's impenetrable to anyone with a Kaypro with no connection to the Internet.
And let's give credit where credit is doodoo:
The web site was created by Desyne Web Services, a web marketing firm from northern Virginia whose clientèle includes the FBI, USA Today, and George Foreman. TSA awarded Desyne a no-bid contract valued at $48,816 for development of the redress system. According to the report, the Request for Quote (RFQ) issued by TSA prior to making the deal stated that Desyne was "the only vendor that could meet the program requirements." The report notes that Nicholas Panuzio, the TSA employee and technical lead who authored the RFQ, had previously worked for Desyne and had known the owner of the web design company since high school—a serious conflict of interest.Following the revelation of security vulnerabilities in the system, TSA transferred the site to a Department of Homeland (DHS) Security domain and notified users who submitted information through the unencrypted form that they had been exposed to risk of identity theft. The committee's report notes, however, that TSA never reprimanded Panuzio or imposed sanctions on Desyne. In fact, the report says that Desyne continues to operate several major TSA web sites and has received over $500,000 of no-bid contracts web services from TSA and DHS.
Charming. Are you feeling more secure? I'm feeling more secure that we might as well just burn our tax dollars; we'd get more out of them that way. Homeland "Security" is making a few people richer, the rest of us really fucking annoyed and inconvenienced, but is it making anybody safer? Ryan Paul continues:
As we have noted in the past, the TSA terror watch list has very little efficacy and may actually contribute to security problems. The creation of the TSA redress system was precipitated in the first place by a study conducted by the Government Accountability Office (GAO) which found that approximately half of the individuals on the watch lists were false positives. The GAO has also reported ongoing problems with people on the no-fly list accidentally being permitted to fly. Additionally, TSA reported last year that screeners missed approximately 75 percent of simulated explosives and bomb components that testers hid in their clothing and carry-on bags at Los Angeles International Airport during a review of airport security procedures.In light of TSA's steady litany of serious failures, perhaps it's time for Congress to reconsider the agency's role in airport security.
Personally, I think they'd be better suited to put on puppet shows.
These are the people who held Medal of Honor winner Joe Foss - in his 80s at the time - for carrying his Medal of Honor. They professed that they thought it was a weapon. They couldn't read it.
I do not need to fly so badly that I will expose myself to such morons.
Radwaste at January 15, 2008 2:33 AM
Well, if you go over and get an SSL certificate here http://tinyurl.com/2ar7jf , which is the most expensive kind that anyone buys, it's $1,000 per year. Also, every web developer who doesn't have his head completely up his ass knows you need one for users to submit sensitive information securely.
Shawn at January 15, 2008 3:56 AM
Personally, I think they'd be better suited to put on puppet shows.
You can't be serious. First you tell me that this agency likes to bend people over and spread their cheeks for a good frisk and search before flight, and now you suggest they put on puppet shows. Not!
jerry at January 15, 2008 4:40 AM
Coming back to CT from FLA last week, I had a bottle of Vaseline body lotion in my carry-on. Going through the check point, they held up my bag, said to me "is this yours?" I said "yeah" and they said, "well we have to go through it."
It was already packed to the gills. I said "good luck packing it back up." and the guy said "you'll be doing that." Then he opened the zippered pocket and took out the lotion that I had just bought and said "that's it." And I just looked at him and said, "Swell. I just bought that. Give it to a lady friend, I'm sure she'll like it", and he said "oh no, we just throw it out." What a freakin' waste of time and money! o_O
Flynne at January 15, 2008 5:39 AM
You can't be serious. First you tell me that this agency likes to bend people over and spread their cheeks for a good frisk and search before flight, and now you suggest they put on puppet shows. Not!
Looking up your ass with puppets, sounds just like the TSA.
Personally, I just think there's a certain extremely tiny chance I'll blow up, either by living in Los Angeles or by taking a plane with an Islamist on it, or by just getting on a plane with poor maintenance. I don't think searching Grandma and 5-year-old Billy will much diminish that chance, if at all.
I know the clowns running the TSA pretend they've got our safety covered, but sorry, if you were a terrorist who wasn't totally mentally retarded, wouldn't you just find a way to smuggle in whatever with the rolls from Starbucks or something? Or just hit a different target with a different means?
Or, just come to our country or to Canada, and use our laws and freedoms against us?
http://www.advicegoddess.com/archives/2008/01/separation_of_m.html
Amy Alkon at January 15, 2008 6:34 AM
These people - TSA and their web contractors - are morons. Getting a valid SSL cert installed on a website is a ridiculously trivial and inexpensive matter. I'm no web guru and I managed to do it for my business without any serious difficulties.
The only thing that I've noticed their system do effectively is get me tagged for extra screening every time I've purchased a 1-way ticket on short notice. This makes sense.
A meta-complaint: why are government agencies permitted to award no-bid contracts except in exigent circumstances? Does this do anything other than promote incompetence, graft and cronyism?
justin case at January 15, 2008 6:58 AM
"...noted that such "major incompetence" could have been avoided by basic oversight."
I will note that there seems to be a big shortage of basic oversight in the federal government. We've had several scandals locally, and the ones I've been a party to showed the field people operating with no oversight. We have this big sprawling bureaucracy in Washington DC and it ends up just being a money conduit.
"...we might as well just burn our tax dollars"
Utter and total truth.
doombuggy at January 15, 2008 7:04 AM
I like that part about missing 75% of "simulated explosives." At least they'll catch one in four.
flighty at January 15, 2008 7:08 AM
Or blow themselves up just before the metal detector, or place bombs around the support colums in ariport parking garages where the garage is above the ticket counters,
Or take pot shots at planes from the highway with missle launchers.
There are no securiy measures in place to stop these things.
Also given airport police dont have to go thru the security lines whats to stop terrorists from kidnapping a mans familly and blackmailing him into transporting bombs past security?
And what about the utter lack of security around the air traffic control hubs arcoss the country?
Which is a bigger threat, one terorist blowing up one plane? or one terrorist blowing up one room full of people responsible for thousands of planes?
Airport secuity is no more effective now that it was in the 70's. It is nothing more thn a somke and mirror show desgined to make people think they are safe while at the same time constanly reenforcing the need to "BE AFRAID, BE VERY, VERY, AFRIAD"
lujlp at January 15, 2008 7:13 AM
Here's the text of a letter I wrote to the TSA this past summer about a truly ridiculous experience at SFO:
"I have an artificial knee. It's made out of metal, a kind of metal that always sets off metal detectors. On the morning Sunday, June 10, I was flying from San Francisco to New York (by way of Denver).
I was on line to get screened at the San Francisco airport. I got on line to go through the detector. It went off, and the TSA screeners came over to make sure that I'm not carrying any forbidden items. No problem, I'm used to it by now. So a TSA screener came over, and I told him that I have an artificial knee. He patted me down and found that I had nothing in my pockets (I'd emptied my pockets and removed my watch and belt, and placed all the items into a container to be passed through the metal detector), so he told me to walk up to the search area. He was walking behind me. We walked for a short distance to where there are little areas set aside for searching. From behind me he told me to go into the area to my left. I started walking that way. Then I heard him shouting "DO YOU HAVE A PROBLEM, SIR? WHAT IS YOUR PROBLEM? YOU NEED TO FOLLOW MY INSTRUCTIONS, SIR." You know how one can give that extra little emphasis to the word "sir," just to make it insulting? He was doing that at the top of his lungs. He went on like that for a while. I'm was standing there completely bewildered. I mean, I hadn't done anything, and he was shouting at me, and other TSA people are starting to notice. I was hopelessly confused. And then I saw what the problem is. The screener didn't know his left from his right. He meant for me to enter the enclosed area to my right, and when I went the other way (to my left, as he'd instructed), he thought I was trying to evade him or something. I turned around and said "hey, you told me to go to my left," and the look on his face was priceless. I mean, what could he say? He had told me to go to my left, and all his co-workers had heard him. He couldn't deny it. But he was going to make me pay the price for embarrassing him. I got an extremely thorough and time-consuming (unnecessarily so) search. I very nearly missed my plane. Needless to say, by that time I really did have a problem, but there was nothing I could do (if I complained, I'm sure the process would have taken even longer), so I got on the plane and tried to forget about it.
My only observation is that affecting an extremely authoritative (not to say authoritarian) demeanor while saying something totally idiotic is a bad combination, and one not likely to impress the public with the measures being taken to ensure our safety."
Absolutely amazing.
Larry McKenna at January 15, 2008 7:30 AM
Regarding the website, I don't think the real problem was incompetence although that was certainly there. The real problem was the corrupt single source no bid contract fed to a friend (who also happened to be incompetent.)
Even if he had built a proper website, the corruption stinks and there should probably be jail time for a few people.
jerry at January 15, 2008 7:30 AM
All this hype while not making us any more secure would be bad enough but apparently it's while making us less secure. Sometimes there are advantageous to being financially challenged (and, hence, not having the money for nice vacations). Like Rad, there's nowhere I want to go bad enough to go on a plane to get there but I'm sure I feel the sting less than someone who would otherwise enjoy traveling.
Donna at January 15, 2008 9:33 AM
By its very nature, airport security is not PROactive but REactive (terrorists are creative--the TSA doesn't know what to protect us against until a terrorist succeeds or nearly succeeds).
I really feel for the checkpoint agents, I really do. And most of the ones I've encountered are friendly, efficient, and surprisingly patient given the passengers screaming at them for enforcing rules they themselves probably know are bullshit.
But, there are always the ones that are immune to common sense/blessed with the disposition of a DMV employee who's having a bad day or the Vogons in Hitchkiker's Guide to the Galaxy--like the gentleman who protected flyers from Larry's artificial knee. Or the gentleman I encountered on New Year's Day.
I'd flown cross-country to celebrate w/ friends. Since I was spending about 12 hours there, I brought no luggage and only wore the clothes I went clubbing in plus a hoodie. The festivities of the evening resulted in my shirt getting soaked with Patron. I knew that I'd probably get thrown off my 8 am flight if I smelled like alcohol, so I put my top in a plastic bag, tucked it in my carry-on, and wore my hoodie to the airport w/ nothing underneath.
Granted, I probably looked like a cross between Britney Spears and Nick Nolte when I showed up, barely conscious after getting no sleep, but that doesn't account for the fact that one of the security checkpoint guys started screaming at me:
"MISS YOU HAVE TO TAKE YOUR JACKET OFF!! ALL JACKETS MUST COME OFF BEFORE YOU GO THROUGH THE METAL DETECTOR."
"But," I explained, "I don't have a shirt on under this jacket. I don't feel comfortable taking it off, I'm sorry."
"YOU ARE WEARING A COAT. ALL COATS MUST COME OFF BEFORE YOU WALK THROUGH THE METAL DETECTOR. YOU ARE MAKING ALL THESE PEOPLE WAIT."
I surpressed the desire to say that he must REALLY want me to take my shirt off.
"Ummm...i don't think you want me to take this off."
"MISS IF YOU DON'T TAKE IT OFF, YOU WILL HAVE TO GO THROUGH AN ADDITIONAL SEARCH."
"Fine" I said. I walked through, and didn't even set off the alarm, as the zipper on my hoodie was plastic.
A woman waved a wand over me a couple times, patted down my arms, and I was on my way.
sofar at January 15, 2008 10:58 AM
The airport lines do have a purpose. They shut up the most vocal and clueless activists, who blame government for everything - and they help you understand that you're really presumed guilty, not innocent. You're already accepting that idea. Like the whore arguing about the price, you'll give up your virtue for the right convenience.
Radwaste at January 15, 2008 2:33 PM
Speaking as someone who flies a great deal for both business and pleasure, has family members who travel for business at least three times a month, and whose father is a pilot I have to say this much about TSA:
They are a fucking joke. Poorly trained, power drunk fuckmuppets. They even fail at keeping the honest people honest.
Elle at January 15, 2008 4:15 PM
Leave a comment