It's The TSA, Not CSI: Actions Limited To Security, Not Crime Investigation

from the about-time dept

I'm actually writing this post just minutes after passing through TSA security at JFK, where I was stopped to investigate the fact that I have a candle (a gift) in my carry-on luggage. I'm not sure if this sort of thing makes us any safer (I have my doubts about this kind of "security theater"), but the overall experience was fine and the TSA folks were perfectly nice and professional and let me go on my way (yes, with the candle) in less than a minute. However, apparently some TSA agents have decided that they should serve a purpose well beyond their assigned domain of air travel security. They've been investigating other crimes as well, sometimes going on pure fishing expeditions if they think something looks suspicious, even if it has nothing to do with air travel safety. For example, people have been detained for traveling with large quantities of cash. However, after being sued multiple times, the TSA recently agreed to change its rules to limit its agents actions, so that they are no longer allowed to investigate random crimes and are officially limited to just focusing on air travel security.

25 Comments | Leave a Comment..

TSA Accused Of Trademark Infringement

from the sovereign-rights... dept

JJ sends in the rather amusing news that the TSA's SimpliFLY promotional campaign (which only existed during the 2007 holiday season) may actually violate the trademark of the Salt Lake City International Airport, which uses the term for its telephone help line. From the details, it seems pretty clear this is a pure money grab by the SLC airport, as the marketing director seems quite clear that filing a lawsuit against the TSA was just a way to begin "negotiations." Of course, SLC may find that it has an uphill road to climb, as it needs to explain how the TSA was using the term "in commerce" to show that it's a trademark violation. In the meantime, folks in the marketing department at SLC airport may find that they need to go through a bit of extra scrutiny next time they go through airport security.

12 Comments | Leave a Comment..

Legislation Looks To Create Better Redress System For No-Fly List, But Doesn't Really Define Better

from the heart-in-the-right-place dept

A big part of the TSA's security theater is the much-talked-about no-fly list. The only thing about the list is that it makes many more headlines for stopping five-year-olds and well-known US Senators than it does for actually stopping terrorist attacks. As has been pointed out before, it seems fairly unlikely that anybody intent on carrying out an attack would do so under their real name. Once you're on the watchlist, it's very difficult to get off, but a new bill passed in the House directs the Department of Homeland Security to establish a "timely and fair" redress system to replace TSA's often-criticized efforts. The bill doesn't clearly define how the process should work, apart from requiring the DHS to establish a whitelist of people who were on the no-fly list, but have proven to the government they're not terrorists. How does one do that? Your guess is as good as ours.

Carlo Longino is an expert at the Insight Community. To get insight and analysis from Carlo Longino and other experts on challenges your company faces, click here.

11 Comments | Leave a Comment..

Security Theater In Action

from the don't-you-feel-safer-now? dept

The Atlantic has an article in which the author, Jeffrey Goldberg, put various Bruce Schneier theories to the test, to see just how ridiculous airport security is these days. As expected, he discovered that Schneier is correct in calling most airport security "security theater." It's designed to make people think they're safer because they see something that looks like security, even if that security does absolutely nothing to stop terrorists. As the article notes, it's not at all difficult for terrorists to bypass the system, so the only thing the system is really good for is to (a) catch really, really dumb terrorists or (b) to make other people think that the security is doing something.

Schneier, of course, has been making this point for years, so it was interesting to see what sort of response Goldberg was then able to get out of the TSA's boss, Kip Hawley. His responses seem to fall into one of two categories. First, he suggests that the TSA is well aware of the potential vulnerability described, but he can't really explain how it's been fixed, or secondly, he insists that any odd behavior will be spotted by trained employees and stopped. Except that Goldberg tested that theory too, attempting to behave quite strangely -- including ripping up a bunch of fake boarding passes in plain view of people... who all ignored him.

Hawley's responses at times border on incomprehensible:

"What do you do about vulnerabilities?" he asked, rhetorically. "All the time you hear reports and people saying, 'There's a vulnerability.' Well, duh. There are vulnerabilities everywhere, in everything. The question is not 'Is there a vulnerability?' It's 'What are you doing about it?'"

Well, what are you doing about it?

"There are vulnerabilities where you have limited ways to address it directly. So you have to put other layers around it, other things that will catch them when that vulnerability is breached. This is a universal problem. Somebody will identify a very small thing and drill down and say, 'I found a vulnerability.'"

Either there's some totally secret system that the TSA is using to actually stop these vulnerabilities, or there isn't a system and Hawley is just being confusing in order to create some doubt. I'm not sure either one makes me feel any safer about flying. While some may claim that we should feel safer because there might be a more secretive plan in place that Hawley won't talk about, consider me a skeptic. Security through obscurity has rarely proven to be as effective as a real and open security plan. I'm not saying that the TSA should reveal everything it does, but given Goldberg's experiences in "probing" the system, it's not clear that any "secret plan," whether real or implied, is working particularly well.

52 Comments | Leave a Comment..

TSA Vendor Who Lost Laptop Apologizing To People Who Didn't Even Apply

from the good-record-keeping dept

We recently wrote about how TSA-approved vendor, Verified Identity Pass, had lost a laptop containing all sorts of unencrypted data on people who had applied to be a part of the TSA's "fast pass" Clear program (letting you skip the long security lines for a $100/year). While the laptop was eventually found (in the same place it was lost), the company insists that no data on the laptop was compromised, and has sent out emails to applicants for Clear. But, it appears that at least something is amiss as David Weinberger received one of the emails despite never having applied for the program. So apparently they're just informing people at random now. Or someone else applied in Weinberger's name. Makes you feel very secure, doesn't it?

14 Comments | Leave a Comment..

TSA Loses Laptops With 'Verified' Flyer Details

from the your-middle-name-is-what-now? dept

The concept of a "trusted" or "verified" traveler program at airports has been shown as not particularly secure for years -- but it didn't stop the TSA from aggressively rolling out the program. There's no doubt that, for frequent travelers to locations participating in the "Clear" program, it's wonderful. You pay $100/year and you get to bypass all the security lines, and head to a special faster security screening line, supposedly because your background is already "cleared." As Bruce Schneier writes in the above link, in terms of security, all this really does is give those looking to break security a better target. Get some "terrorists" on the list, and you've just made life a lot easier.

Either that, or pretend to be someone on the list.

And what better way to do that then to get your hands on the details of everyone on the list. Well, it appears that the TSA has forgotten its middle name, and failed to protect its own laptop carrying the (unencrypted, of course) details of 33,000 people on the clear list (Update: to clarify, the laptop was actually lost by a TSA vendor, but considering these were applications made to the TSA, it's not clear that the difference here really matters). While it certainly may have just been lost or stolen by someone who wanted a free laptop, whoever has that laptop now has the names, addresses and driver's license or passport numbers of 33,000 applicants. It's unclear if it indicates which of those applicants were approved, but I would still imagine that info would be useful to someone looking to bypass airport security.

The company that runs the program, Verified Identity Pass, issued statement that isn't particularly comforting:

"We don't believe the security or privacy of these would-be members will be compromised in any way."

First of all, that's not true. If you've exposed people's names, addresses and driver's license or passport numbers, their security has certainly already been compromised. But, more importantly, rather than those individuals' security and privacy, I would be worried about overall airport security, which has now been compromised. Update: So, this is weird. The laptop has been found. Where was it? Right where it was last seen. Not clear if it was actually lost or someone just got confused or what -- but still not particularly comforting.

28 Comments | Leave a Comment..

Flying Security: Shackle All Passengers With Tazer-Like Bracelets

from the coffee,-tea-or-bzzzzzzzzzzzzzzzzt dept

And we were just talking about how the expected boom in air travel security technology never materialized, and along comes Bruce Schneier to point out a patent on a bracelet that passengers would be forced to wear, which could provide a debilitating shock at the decision of a crew member. And, yes, there's a company trying to commercialize this idea. I'm sure absolutely nothing might go wrong by strapping up all passengers with a potentially debilitating shock. Nothing at all...

37 Comments | Leave a Comment..

TSA Staffer Hires Buddies To Build Insecure Website For Folks Falsely On Watch List

from the well-that-makes-me-feel-safe dept

We've had so many stories of government computer systems or websites that have terrible security or are just useless (but expensive!) that it shouldn't surprise us to hear of another one. Yet, there's always someone who can go a step further. Witness the news that the TSA's website for individuals who find themselves incorrectly on the security watchlist has been found to be insecure, with hundreds of falsely accused travelers exposing personal details by using the site. Even better, it turns out that the company that was hired to build the site got the job in a no-bid contract (meaning there wasn't any competition -- it was just chosen) and the guy responsible for figuring out who to hire just so happened to have been a former employee at that company. So, basically, what happened was that a guy who had taken a job at the TSA hired his former coworkers, with no competition for the job and apparently little oversight, to just build a website that turned out to be insecure. And, of course, without any oversight, it took months before anyone even noticed the site was insecure. And, remember, that this is the TSA we're talking about here -- an organization who's main concern is supposed to be security. I feel safer already.

33 Comments | Leave a Comment..

TSA Inspections Are Still A Farce

from the security-theater dept

If you thought taking your shoes off and putting your liquids in little plastic bags was going to stop terrorists from smuggling bombs onto planes, think again. A new report from the Government Accountability Office finds that investigators were able to smuggle bomb components through TSA checkpoints without being caught. This isn't much of a surprise; a similar test last year found that the TSA caught only 2 out of 22 people who tried to smuggle dummy weapons through checkpoints in a Newark airport. This is not really surprising. The TSA's strategy has been basically reactive: the 9/11 hijackers used box cutters, so those get banned. Somebody tries to smuggle explosives onboard in his shoes, so the TSA makes us all take our shoes off. Somebody tries to smuggle liquid explosives onto a plane, so the TSA bans bottled water. There's no reason to think these rules actually make us safer, but they do allow the TSA to pretend they're "doing something" about terrorism. A TSA spokeswoman insists that this wasn't a fair test because they only got by one of their "19 layers of security." I wouldn't be surprised if the other 18 layers were as ineffectual than the others, but one thing that can be said for them is that they're a lot less annoying for travelers. How about if the TSA stops wasting resources forcing 5-year-old girls to take their shoes off, and shift those resources to the sort of in-depth police work that led to the foiling of last year's liquid explosives plot.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

36 Comments | Leave a Comment..