Opinion The TSA's useless photo ID rules No-fly lists and photo IDs are supposed to help protect the flying public from terrorists. Except that they don't work. By Bruce Schneier August 28, 2008 http://www.latimes.com/news/opinion/la-oe-schneier28-2008aug28,0,3099808.story The TSA is tightening its photo ID rules at airport security. Previously, people with expired IDs or who claimed to have lost their IDs were subjected to secondary screening. Then the Transportation Security Administration realized that meant someone on the government's no-fly list — the list that is supposed to keep our planes safe from terrorists — could just fly with no ID. Now, people without ID must also answer personal questions from their credit history to ascertain their identity. The TSA will keep records of who those ID-less people are, too, in case they're trying to probe the system. This may seem like an improvement, except that the photo ID requirement is a joke. Anyone on the no-fly list can easily fly whenever he wants. Even worse, the whole concept of matching passenger names against a list of bad guys has negligible security value. How to fly, even if you are on the no-fly list: Buy a ticket in some innocent person's name. At home, before your flight, check in online and print out your boarding pass. Then, save that web page as a PDF and use Adobe Acrobat to change the name on the boarding pass to your own. Print it again. At the airport, use the fake boarding pass and your valid ID to get through security. At the gate, use the real boarding pass in the fake name to board your flight. The problem is that it is unverified passenger names that get checked against the no-fly list. At security checkpoints, the TSA just matches IDs to whatever is printed on the boarding passes. The airline checks boarding passes against tickets when people board the plane. But because no one checks ticketed names against IDs, the security breaks down. This vulnerability isn't new. It isn't even subtle. I first wrote about it in 2006. I asked Kip Hawley, who runs the TSA, about it in 2007. Today, any terrorist smart enough to Google "print your own boarding pass" can bypass the no-fly list. This gaping security hole would bother me more if the very idea of a no-fly list weren't so ineffective. The system is based on the faulty notion that the feds have this master list of terrorists, and all we have to do is keep the people on the list off the planes. That's just not true. The no-fly list — a list of people so dangerous they are not allowed to fly yet so innocent we can't arrest them — and the less dangerous "watch list" contain a combined 1 million names representing the identities and aliases of an estimated 400,000 people. There aren't that many terrorists out there; if there were, we would be feeling their effects. Almost all of the people stopped by the no-fly list are false positives. It catches innocents such as Ted Kennedy, whose name is similar to someone's on the list, and Islam Yusuf (formerly Cat Stevens), who was on the list but no one knew why. The no-fly list is a Kafkaesque nightmare for the thousands of innocent Americans who are harassed and detained every time they fly. Put on the list by unidentified government officials, they can't get off. They can't challenge the TSA about their status or prove their innocence. (The U.S. 9th Circuit Court of Appeals decided this month that no-fly passengers can sue the FBI, but that strategy hasn't been tried yet.) But even if these lists were complete and accurate, they wouldn't work. Timothy McVeigh, the Unabomber, the D.C. snipers, the London subway bombers and most of the 9/11 terrorists weren't on any list before they committed their terrorist acts. And if a terrorist wants to know if he's on a list, the TSA has approved a convenient, $100 service that allows him to figure it out: the Clear program, which issues IDs to "trusted travelers" to speed them through security lines. Just apply for a Clear card; if you get one, you're not on the list. In the end, the photo ID requirement is based on the myth that we can somehow correlate identity with intent. We can't. And instead of wasting money trying, we would be far safer as a nation if we invested in intelligence, investigation and emergency response — security measures that aren't based on a guess about a terrorist target or tactic. That's the TSA: Not doing the right things. Not even doing right the things it does.
On 26 Aug 2008, the Atlanta Federal Aviation Administration facility had difficulties processing data, which meant that all of its flight-plan information had to be processed by the Salt Lake City facility — which became overloaded. As a result, airports experienced hours of flight delays on Tuesday afternoon and into the evening. A similar event occurred on 8 Jun 2007. [Source: CNN.com item, 26 Aug 2008; PGN-ed] http://www.cnn.com/2008/TRAVEL/08/26/faa.computer.failure/index.html
Apropos of the Aug 26 flight plan disaster, FAA spokeswoman Diane Spitaliere said that the investigation into what caused the problem is still ongoing, and she did not know when it would be completed. "It usually takes a while to be quite honest," she said. (AP, 8/26/08) Is this improper to imagine: "Traffic control to all planes in flight: We're having problems with traffic logistics and don't know when they will be unsnarled, to be quite honest. Please proceed to and augment the nearest holding pattern, remain aloft, and observe VFR until further notice." [Unfortunate recording of what she said? "It usually takes a while to be quite honest." It should NEVER take any time to be honest. We presume that what she said orally should have been transcribed as "It usually takes a while, to be quite honest." But commas are seldom COMMAndeered orally. PGN]
Total Air Temperature (TAT) probes on nine American Eagle regional jets were damaged because "an overzealous TSA employee attempted to gain access to the parked aircraft" by using the TAT probes has would-be handholds. [Source: Aero-News.Net, 20 Aug 2008; PGN-ed; see the follow-up analysis by Jim Campbell, ANN E-I-C, who says "This was an extraordinarily dangerous incident, folks."] http://www.aero-news.net/index.cfm?ContentBlockID=340a79d6-839a-470d-b662-944325cea23d
A computer virus is alive and well on the International Space Station (ISS). NASA has confirmed that laptops carried to the ISS in July were infected with a virus known as Gammima.AG. The worm was first detected on Earth in August 2007 and lurks on infected machines waiting to steal login names for popular online games. NASA said it was not the first time computer viruses had traveled into space, and it was investigating how the machines were infected. Source: BBC NEWS, Technology http://news.bbc.co.uk/2/hi/technology/7583805.stm
Premier (formerly Diebold) has admitted to a software flaw in its GEMS system used in 34 states that can cause votes to be dropped while being transferred from memory cards to a central tallying point. This flaw has existed for at least 10 years, and because it is in the back-end counting software, it affects both touch-screen and optical-scan systems. [Source: Mary Pat Flaherty, *The Washington Post*, 21 Aug 2008; PGN-ed] [Premier had previously asserted that this anomaly was the result of interference from the anti-virus software, which as I noted in my comment at the end of jared's post in RISKS-25.29, seemed totally bogus to me.]
The demise of touch-screen voting has produced a graveyard of expensive corpses: Warehouses stacked with thousands of carefully wrapped voting machines that have been shelved because of doubts about vanishing votes and vulnerability to hackers. What to do with this high-tech junkyard is a multimillion-dollar question. One manufacturer offered $1 a piece to take back its ATM-like machines. Some states are offering the devices for sale on eBay and craigslist. Others hope to sell their inventories to Third-World countries or salvage them for scrap. Much money could have been saved had those bureaucrats just been subscribers to The Risks Digest. Full AP Story here: http://ap.google.com/article/ALeqM5jej6XIWrQn6-gw5O5bJa1ELx78DgD92LLDO00
Even China can't remove the old or cached links fast enough: > Chinese Gold Medalist Too Young To Compete, Finds Security Consultant > InformationWeek Wed, 20 Aug 2008 1:42 PM PDT > Mike Walker's Web search turned up an official Chinese Excel spreadsheet that indicates that gymnast He Kexin is only 14 years old. http://www.informationweek.com/news/internet/policy/showArticle.jhtml?articleID=210102137&cid=RSSfeed_IWK_All Blogging under the name Stryde Hax, Mike Walker, a principal consultant for the security group, has posted screenshots of an Excel spreadsheet that was removed from an official Chinese government Web site but was still available through Baidu, China's most popular search engine. The file appears to show that He Kexin is not old enough for Olympic competition. http://strydehax.blogspot.com/2008/08/hack-olympics.html Google returns about 36,700 for "He Kexin" AND "1994". (0.31 seconds) The risk is also claiming the success of youth when it suits the PR in one case but not the other. http://en.wikipedia.org/wiki/He_Kexin
A large amount of spams were sent out in the name of a well known "spam hunter" in Switzerland, alleging he was about to commit suicide (Article in German at <http://www.20min.ch/digital/webpage/story/19754588>). The attack (according to the media and interview with the person involved) appears to bear signs of the "Russian Internet mafia", and appears to herald a change into personal territory by the criminals involved. This attack has already had effect in that the subject is reconsidering what he does for a living. It's not a new idea to go personal, especially Spamhouse has suffered its share over the years. The ensuing discussion on a security mailing list was interesting. It started with a simple observation that it maybe was a drive-by attack with infected websites, but there are some deeper implications. I've compiled the observations below. - - - first response - - - > AFAIK no DriveBy download, as the domains are not responding at all. That may have more to do with actions of ISPs in the chain or there may be irony at work - the serving DNS may have been poisoned, thus having one evil canceling out another. > but according to 20min.ch (article in German) > http://www.20min.ch/digital/webpage/story/19754588 > it was, as assumed, some unhappy spammer who thought that its funny to > send suicide letters. Calling it that way ignores the real issue IMHO.. > Apparently several people contacted the police to report a possible > suicide, and they promptly went and ringed the guy out of his bed at > his apartment. What happened here was that the spammers got personal, and with a large degree of success as the guy is now reconsidering what he's going to do professionally. Let me translate this for you: 1 - he was obviously successful in what he did or whoever did this would not have bothered; 2 - a couple of published successes like that will ensure this to become a frequent event. The good news is that the effect will diminish over time, the bad news is that this will take time. Are you prepared to have family and friends threatened in this way - YOU may know it's mostly air, but most non-professionals don't., and it won't stop here. - - - next response - - - yep. try to explain THAT to your friends, customers, business contacts, etc. IF they are on the recipient list for that kind of spam. It could take you out of business, if people read that kind of crap and probably believe it. Even worse: Who are you going to inform about the faked story? If you inform all of your contacts, you will alert also those who did not even know about the SPAM problem.
The Princeton Review, the test-preparatory firm, accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site, where they were available for seven weeks. ... One folder on the Web site gave unusual insight into how test preparation companies use older exams to prepare their practice tests. The folder contained digital scans of eight official SATs and six PSAT exams from 2005 through 2007. The tests are created by the Educational Testing Service, a nonprofit organization in Princeton, N.J. http://www.nytimes.com/2008/08/19/technology/19review.html?em
Santa Monica resident Aurelie Foucaut traveled last month to Paris with her two kids. During a brief stopover in Montreal, she made six calls on her BlackBerry to friends and family members, each lasting less than three minutes. Foucaut's wireless bill from T-Mobile arrived a few weeks ago. It included $59.77 in ordinary usage charges. It also included a $2,367.40 "data service roaming charge" for nearly 158 megabytes' worth of Internet access while in Montreal — the equivalent of downloading about 80 novels. "How is this possible?" Foucaut, 41, wanted to know. "I never go on the Internet with my phone. I don't download into my BlackBerry. I don't even know how to do it." *Los Angeles Times*, 27 Aug 2008 http://www.latimes.com/business/la-fi-lazarus27-2008aug27,0,7630867.column
At the moment, we experience tropical storm Fay here in the Miami area. It does not seem too bad compared to past tropical storms, and we have only experienced some few power outages that got fixed fairly quickly (typical). We've had some pretty impressive wind gusts (I'd guess about 40-50MPH). However, I noticed something really weird. I have a battery operated clock that syncs via radio signal reception with the atomic clock in Boulder (very common - made by Oregon Scientific). It currently shows the correct time (as of writing: 9:05 PM EDT) but shows the date as Saturday September 27th 2008 instead of the correct date of Monday August 18, 2008! I have no idea why this has happened. Perhaps some weird electromagnetic effect due to the storm (I have noticed things like compasses giving 180 degree wrong readings and spinning during storms)? Perhaps just some other glitch that just coincidentally happened during the storm?
Victor M. Deeb is wondering why 20 years of his work was thrown away. At 71, he had been experimenting in his basement laboratory. When firemen came in to put out a fire in a window air conditioner, they found 1500 vials, jars cans, bottles, and boxes of chemicals in his basement when they went to turn off the power. The Massachusetts state hazardous materials team reacted by having everything that was deemed hazardous removed and disposed of. So, 45 years of his research in polymer chemistry went down the drain (so to speak). However, all of his materials were approved by the U.S. FDA and seemingly nonhazardous. City officials maintain he was violating zoning laws. They also maintain he was given opportunities to recover his 20-years worth of notes, which were apparently seized. [Source: Priyanka Dayal, Chemist considers legal action over materials seized, *Worcester Telegram & Gazette News*, 16 Aug 2008] http://www.telegram.com/article/20080816/NEWS/808160346/1116 The need for backups is not emphasized enough in this much-discussed story. (In this instance, photocopies of the mss notes would suffice.)
See this story in the BBC news: http://news.bbc.co.uk/1/hi/england/hereford/worcs/7585098.stm The story raises at least two questions. Firstly, if we are to believe the story, the person found out what his password had been altered to. So the whole text of the password was available to him (and probably to members of bank staff also). This should not be the case for obvious reasons. Secondly, the story itself is extraordinary, as the BBC seem to have no notion that there might be a serious problem here, rather than just an amusing story. It's tempting to add that this must mean that telephone banking passwords are held in plain-text equivalent, and that this is obviously a huge security problem. It does mean that they must be in plain-text equivalent, but things are not quite so simple: given the common "tell me characters a, b, and c of your password" approach, a conventional one-way hash of the password does not work. I suppose you could create hashes for every possible subset of (say) 3 characters (so for "password", hash "pas-----", "pa-s----" & so on), but that may be quite a lot of hashes (I think it is the number of combinations, so for 3-from-10 it would be 120 hashes, for 3-from-20 it would be 1140), and might also give an attacker a way into guessing the whole password. Still, that would probably be a lot better than keeping it in clear, which seems to be what is happening here.
[From Dave Farber's IP distribution] [Source: Kim Zetter's WiReD blog, Federal Judge Throws Out Gag Order Against Boston Students in Subway Case, 19 Aug 2008; PGN-ed] http://blog.wired.com/27bstroke6/2008/08/federal-judge-t.html U.S. District Judge George A. O'Toole, Jr., vacated the temporary 10-day gag order that another judge had instituted against the three MIT students who were prevented from presenting a talk on security vulnerabilities in the Boston subway's fare tickets and cards. The judge also threw out a request by the MBTA to expand the restraining order. [RISKS-25.28 and 25.29] Dave's IP Archives: https://www.listbox.com/member/archive/247/=now
From: http://articles.latimes.com/2008/jul/20/local/me-dna20 > The FBI laboratory, which administers the national DNA database > system, tried to stop distribution of Troyer's results and began an > aggressive behind-the-scenes campaign to block similar searches > elsewhere, even those ordered by courts, a Times investigation found. > No one knows precisely how rare DNA profiles are. The odds presented > in court are the FBI's best estimates. There is another risk in here. The FBI is tarnishing their reputation and with it the reputation of our whole justice system. The FBI has (had?) a reputation for doing good science. Why are they dragging their feet because somebody wants to double check their work? What are they trying to hide? I'm not a wizard on DNA matching or statistics, but I think I'm smart enough to understand a good white paper discussing this topic. I'm surprised the FBI hasn't written one and squashed this discussion. Maybe The National Academy of Sciences should be asked to review this tangle.
RISKS readers should be quite aware of the troublesome February 29th. Rather special statistics apply to about one of 1461 people who are born on Feb 29. Recall: Leap-Year software bug gives "Million-dollar glitch" (RISKS-18.74) On the last day of a leap year in 1996, an aluminum plant in New Zealand triggered a software flaw that failed to account for the year having 366 days. It caused an enormously expensive event on the 366th day of the year. And there must be many similar incidents I don't remember. [PGN-ed]
There's a sort-of follow-up to this item in the travel section of today's newspaper (23 Aug 2008): > A reader comments that the US Electronic System for Travel Authorisation > application site at https://esta.cbp.dhs.gov didn't accept his passport > because it was valid for more than 10 years. Several readers have reported being charged $49.95 for a permit application, which is a pain as the previous paper I-94W forms were free. As far as I can tell, applying via the official ESTA web site is free, but it appears that doing a Google (or similar) search for the site will match on some commercial agency sites which do charge for handling applications. These agencies may be offering some sort of value-added service, but the RISK is that people may be persuaded to pay a third party unnecessarily for something that they could do themselves, because of web search results.
It seems definite that obviously white spaces in the original data were misinterpreted during data transfer. Technical reasons remain until now unknown. In the between, all 46000 inhabitants of Stade (Lower Saxony) received new letters from the Federal Central Tax Office regarding their Tax Identification Codes. As far as I can speak for myself and my family, for now the information is correct :-) Nevertheless, the question who or what was responsible for the mess-up, remains unanswered.
> People would be inclined to say "but it's not reasonable to believe that > large corporate sites would be involved in this sort of collusion!". Maybe things outside the USA are better, but around here anybody who is at all concerned about their privacy knows that our advertising companies collect all the information that they can get their hands on. Consider credit bureaus. Many years ago they may have been in the credit business. Today, they are in the information business. Besides, it's not just corporate America that wants to collect your info. How many times has TSA been mentioned on RISKS?
Please report problems with the web pages to the maintainer