Ah, the TSA amuses me to no end sometimes. Recently there was a misguided attempt by the agency to post a “redacted” pdf document of their screening guide online. Sadly, this fell into the trap of being a simple black bar placed across the offending text. Unknown to the parties doing this is that it is a trivial exercise to recover the blacked out text.

Now, the corner office types are circling the wagons.

From ABC:

On Wednesday, the Transportation Security Administration’s (TSA) acting director insisted to Congress that the mistaken posting of secret airport screening procedures online posed no threat to holiday travelers because the procedures had changed, but refused to provide members of Congress with the newest version of the TSA’s screening manual to prove it.

Ah, fuckwittery abounds. If you’re bored feel free to download a copy of the TSA manual which we have mirrored. They have since removed the document from their website but, too late. The thing is literally all over the tubes of the web.

Now, Congress may have a two drink minimum at the best of times but, I doubt it could be ever considered as wise to piss them off. Gale Rossides, acting TSA head, insisted that the discovered SOP version of the sceening manual that was outdated. But, front line folks for the TSA disagreed.

But current and former Transportation Security Officers (TSO), meaning TSA employees who have direct knowledge of screening procedures, disagreed with Rossides about the impact of the breach. They said that they were appalled that the agency failed to take immediate steps across the country to counteract the heightened travel threat caused by the posting of the improperly redacted document.

I would tend to agree with the folks that work for a living as opposed to the spin doctors.

Call me a cynic.

Article Link

The storm clouds are gathering over the Clear debacle. Someone woke up Congress and now they want answers.

From Wired:

Clear subscribers paid $200 annually to skip to the front of security lines at 20 of the countries largest airports, but they had to undergo a background check and turn over social security numbers, fingerprints and iris prints to get the card.

That data trove left a lot of unanswered questions after Clear closed abruptly last Monday night. The company, which was founded by journalist-cum-entrepreneur Steven Brill, belatedly told members it was seeking to sell its data to another fast-lane company. If a buyer wasn’t found, it would destroy the data, according to the company’s website.

Hmm. $200 dollar subscriptions for over 165,000 people. So, $33 mil per annum and they’re not filing for bankruptcy? This smells all wrong.

Not only am I curious as to the fate of the data but, where did all the money go?

Article Link

From the Associated Press:

More than a quarter million people are wondering what will happen to their fingerprints, Social Security numbers, home addresses and other personal information now that a company that sped them through airport security is out of business.

Government officials are wondering too.

Well, wonder no more…for the moment at least. Today we had one of our readership who as good enough to share a copy of the Dear John letters that Clear Members around the US are receiving on the heels of the programs demise (Thx rybolov).

Flyclear.com have taken down the website and replaced the main page with the following email text.

From: “Clear Customer Service”
Date: [REDACTED]
To: [REDACTED]
Subject: Clear Member Update

Clear Member Update

Dear [REDACTED],

In response to questions raised by our members, Clear would like to offer the following information:

Clear Lanes Are No Longer Available.

At 11:00 p.m. PST on June 22, 2009, Clear ceased operations. Clear’s parent company, Verified Identity Pass, Inc., was unable to negotiate an agreement with its senior creditor to continue operations. Verified Identity Pass regrets that Clear will not be able to continue operations.

How is Clear securing personal information?

Clear stands by our commitment to protect our customer’s personally identifiable information – including fingerprints, iris images, photos, names, addresses, credit card numbers and other personal information provided to us – and to keep the privacy promises that we have made. Information is secured in accordance with the Transportation Security Administration’s Security, Privacy and Compliance Standards.

How is Clear securing any information at the airports?

Each hard disk at the airport, including the enrollment and verification kiosks, has now been wiped clean of all data and software. The triple wipe process we used automatically and completely overwrites the contents of the entire disk, including the operating system, the data and the file structure. This process also prevents or thoroughly hinders all known techniques of hard disk forensic analysis.

How is Clear securing any information in central databases and corporate systems?

Lockheed Martin is the lead systems integrator for Clear, and is currently working with Verified Identity Pass, Inc. to ensure an orderly shutdown as the program closes. As Verified Identity Pass, Inc. and the Transportation Security Administration work through this process, Lockheed Martin remains committed to protecting the privacy of individuals’ personal information provided for the Clear Registered Traveler program. Lockheed’s work will also remain consistent with the Transportation Security Administration’s federal requirements and the enhanced security and privacy requirements of Verified Identity Pass, Inc.

The computers that Verified Identity Pass, Inc. assigned to its former corporate employees are being wiped using the same process described for computers at the airports.

Will personally identifiable information be sold?

The personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider. Any new service provider would need to maintain personally identifiable information in accordance with the Transportation Security Administration’s privacy and security requirements for Registered Traveler programs. If the information is not used for a Registered Traveler program, it will be deleted.

How will members be notified when information is deleted?

Clear intends to notify members in a final email message when the information is deleted.

Who is monitoring this process?

Clear is communicating with TSA, airport and airline sponsors, and subcontractors, to ensure that the security of the information and systems is maintained throughout the closure process. Clear thanks these partners for their continuing cooperation and diligence.

How can I contact Clear?

Please visit our website, www.flyclear.com, for the latest updates. Clear’s call center and customer support email service are no longer available.

Will I receive a refund for membership in Clear?

At the present time, Verified Identity Pass, Inc. cannot issue refunds due to the company’s financial condition.

Has Verified Identity Pass, Inc. filed for bankruptcy?

At the present time, Verified Identity Pass has not commenced any proceedings under the United States Bankruptcy Code.

Clear Customer Service

Clear, 600 Third Avenue 10th Floor, New York, NY 10016
www.flyclear.com

Three times overwrite to destroy the hard drive data. OK, but, by what method? NIST 800-88 (.pdf) lays out some criteria but, it’s unclear if they followed that guidance or something similar. The Canadian Communications Security Establishment offers this guidance for clearing and declassifying data storage devices.

Myrcurial had this to add,

It depends on the technology and the over-write method — ie: all ones, random, and whether or not the controller (assuming it’s magnetic disk and not tape/optical/etc.) is giving you a true 1:1 representation of all sectors. 3x with the wrong method on a modern IDE disk doesn’t mean the same as one time with the right method on an MFM/RLL disk

Why not just pitch the drives in a grinder? Also, I have little doubt that there were laptops floating about. Have they all been accounted for? Thumb drives?

Oh, and they’re not filing for bankruptcy. But, they’re keeping your money. WTF?

For more on this story check out the following article.

Article Link

Pilots on a Delta Airlines plane got a rather rude welcoming on Saturday as they attempted to land at Ben-Gurion International Airport. Failing to broadcast a security code in an allotted time frame might have cost them dearly.

From Haaretz:

The National Pilots Association expressed firm opposition yesterday to a new system designed to prevent hijackings and terror attacks, after failings were revealed Saturday.

A Delta Airlines crew seeking to land at Ben-Gurion International Airport on Saturday failed to identify itself in keeping with the system to identify hijacked planes, Code Positive, which is currently in pilot. Israel Air Force planes were scrambled in response, even though this case turned out to be a false alarm. “On Saturday one of this system’s many potential failings was seen,” pilot association chair Boaz Hativa told Haaretz yesterday. He added that the association would determine its official stance on the system after the pilot was completed.

This is obviously not a fail proof system. While in principle a good idea what’s to say a flight might have disabled communications gear? The Code Positive system won’t be a sole source of information ($deity willing) when dealing with a potential hijacking. Just hope that the IDF keeps it in the holster when dealing with these situations.

Article Link

Oh for the love $deity. Are you kidding me? I find this a painful story in the level of insult that is visited upon the collective us. TSA screeners are apparently, by policy no less, allowed to bypass screening themselves. Glad to see they’re keeping their eye on the important problems.

From 9NEWS.com Denver:

The new policy says screeners can arrive for work and walk behind security lines without any of their belongings examined or X-rayed.

“Lunch or a bomb, you can walk right through with it,” said Mike Boyd, an aviation consultant in Evergreen. “This is a major security issue.”

At DIA, 9NEWS videotaped a dozen TSA screeners walk through a side gate and enter the sterile area of the airport carrying backpacks, purses and lunch boxes. Nothing was screened.

Sources tell 9Wants to Know, the reason for the security change may be tied to the new uniforms and badges.

And what might that tie in be? Well…because the new metal badges set off the metal detectors. Ah, but wait, there’s more.

The TSA says its employees have background checks before they are hired. TSA policy says employees are supposed to report any other arrest, including an alcohol related arrest, within 24 hours or, due to circumstances beyond their control, as soon as possible after that.

And we all know that no one could be so devious as to steal another’s identity.

My brain is all melty at the moment.

Article Link (via ComputerWorld)

You know I find it hard to wrap my head around some decisions. One in particular was in a story that was on CNN last week. The airline Air Canada has jettisoned life jackets from its regional carrier, Jazz, in a bid to save money on fuel. Which I will lay odds will not translate into a ticket savings for the consumer.

From CNN:

Stuart says Jazz is a transcontinental carrier that doesn’t fly over the ocean.

Jazz planes do fly over the Great Lakes and along the Eastern seaboard from Halifax, Nova Scotia, to Boston, Massachusetts, and to New York.

Stuart says all of Jazz’s flights operate within 50 miles from shore. She says the airline operates 880 flights daily to 85 destinations in North America and says the number of flights that operate over water are minimal.

Instead they refer to using your seat cushion as a flotation device. I don’t know about you but, personally, I would much prefer paying a little more for the damn life vest. Seriously, when was the last time you could swim over a mile on Lake Superior?

Yeah, I thought as much.

Article Link

Tags: Air Canada, Air Canada Jazz, Air Canada Life Vests

So, if it wasn’t bad enough that there are 1 million plus folks on the “do not fly” list it appears that there is another list in the USA. The TSA (my buds) have managed to take the names of people who fly within the US without ID, which is legal, and compile a list. So, where have these names ended up? Funny you ask. They’ve been added to a database of folks who have violated security laws or have been questioned due to their behaviour.

WTF?

From USA Today:

The TSA began storing the information in late June, tracking many people who said they had forgotten their driver’s license or passport at home. The database has 16,500 records of such people and is open to law enforcement agencies, according to the TSA.

Asked about the program, TSA chief Kip Hawley told USA TODAY in an interview Tuesday that the information helps track potential terrorists who may be “probing the system” by trying to get though checkpoints at various airports.

OK, so let me get this straight this info is to “helps track potential terrorists”? Did anyone at the TSA miss the fact that it is perfectly legal for US citizens to travel without ID within the States? And the data will be stored in some cases for up to 15 years.

Don’t forget your wallet.

Article Link

You know, every time I travel I’m a little more amazed at the ignorance and malaise exhibited by the TSA than the time before not to mention fellow travelers. This time flying out of Las Vegas after Defcon I encountered a disproportionate amount of douchebaggery. Here is a summary of the run through at LAS.

I presented the first TSA staffer with my boarding pass and passport and said “good morning” with a smile. He responded pleasantly and then I stepped forward. The lady behind my was promptly informed that she would have to dispose of her bottle of water (I won’t rant here about the instability of liquid explosives at this point).

Now, where was I? Oh yes, the water.

OK, so, being a conscientious person I turned back the TSA staff and said, “do I need to get rid of my coffee?” Not wanting to as it was a great cup of joe from Payard in Caesars. He shrugged and said, “I don’t know”.

OK, wait a tick. I can pass through TSA with a large cup of coffee and the lady with the bottle of water gets flagged? Time for mandatory drug testing of TSA staffers I think.

This is where it becomes amusing. The TSA staffer turns to a colleague to ask about the coffee. Now, I will never fault someone for asking if they don’t know the answer. The part that got me was that his co-worker glared at me and said in a rather loud commanding voice “SIR PLEASE THROW OUT THE COFFEE OR WE WILL HAVE TO REMOVE YOU FROM THE LINE”. I found this funny coming from a former member of the lollipop guild. Diluted intimidation. She started to turn red in the face. I made a flourish as I disposed of the coffee in as theatrical manner as I could manage without going over the top. The first TSA staffer then said, “but, he asked nicely”.

Pleasant little micro-fascist.

Then I turned to begin the de-humanizing process of preparing for TSA screening. Belt, laptop, shoes, iphone et cetera into the bins.

Then came the hit on the shoulder.

WTF?

Two flight attendants for Mexicana air physically pushed me aside and places their purses and bags on the belt. “Hey, wow, that was kinda rude wouldn’t you say?” I said in a loud voice. They ignored me. A traveler behind me in the line said, “what a bitch” and still no reaction. I went through the metal detector and turned to face a very unpleasant TSA screener.

“Whose bag is this?” She boomed. I looked to see the Mexicana logo. “Them” I motioned to the personality twins. “I have to examine that bag”.

Ah, sweet justice. At this point the screener turns to a co-worker and barks about how much of a living hell her day is. As she does this the Mexicana flight attendant that bumped me reached into the scanner and pulled here bag out. And with that, the personality twins walked away. I tried to draw the TSA employee’s attention to the exiting pair and was addressed thus “Sir, sir. I’m very busy sir. Do not address me unless I speak to you.”

Piss on this. She then lectures me about not putting my shoes into a plastic bin for screening. “It looks like they’re in a bag when you do that sir.

After a protracted chat on the evil and hardship I had caused her I knelt to put on my shoes. I noticed a cart approaching me. It was heading for my bags. Another TSA employee then rams his cart into my bags. Not once. But, three times. “What are you doing” I exclaimed. “I have to put my cart there.”

No shit, I gathered that genius. The mouth breather then realized that I was less than amused and retreated until I cleared the area. Heaven forbid these folks treat travelers as humans. I always go out of my way to try and be pleasant to TSA and they never fail to fail.

From Minneapolis Star Tribune:

Europeans and others who travel visa-free to the United States can start registering in August for a new online security screening check that will become mandatory in January to enter the U.S., officials said Monday.

The new security measure will replace current paper forms that foreign visitors from the 27 countries that participate in the U.S. visa waiver program have to fill out once they enter U.S. territory at airports and seaports. It will not apply to land border crossings into the United States, where authorities will continue to use the paper forms.

So, why is it that I have an uneasy feeling about this program? Sure travelers would also have to provide all of their other info and fingerprints (mmm, Gummi) but, with this higher level of “automation” will this make it easier to breach the battlements? It appears that they’re moving ever closer to a screening process that removes the element of human intervention. Mind you I could be seeing this in a much darker light than is intended.

Hmm.

Article Link

Not too long ago someone inside the TSA talked to CNN and leaked the fact there are almost zero air marshalls on flights these days. Security through obscurity illusion I guess.

So, what did they do?

Did they put more air marshalls in service? Not sure.

Did they say, “our bad, we’ll get right on it”. Nope.

They decided to launch an internal hunt for the leak whistle blower.

From CNN:

The Transportation Security Administration rejected as a “myth” CNN’s report that less than 1 percent of the nation’s daily flights carry armed federal air marshals. Now the agency is conducting an investigation into who talked to CNN and who encouraged other agents to do the same.

A spokesman for the TSA confirmed the investigation.

Spokesman Christopher White said a TSA investigator is looking into the “possible unauthorized release of sensitive and classified information to the news media by covered parties.”

A rational response. Sigh. The TSA refutes the story but, they don’t offer anything to back their version. Rather they claim it as classified information. The marshal in question has asked for anonymity due to fear of reprisals from the TSA. Yeah, the internal investigation won’t validate his position at all will it? (yes, that’s sarcasm)

So, how does one resolve this? Does the TSA come clean? Or do we continue to suffer the pat on the head as they tell us to go play in traffic?

Article Link