Sky’s Blog @ The Dalai Lama Foundation — Spreading the word in a networked world

The Clear program at San Francisco International Airport (SFO) has suffered an almost-predictable blow - a stolen laptop computer containing confidential records.

Clear is the program that pre-screens travelers, collects biometric data, puts this on a smart-card (embedded processor+memory, not RFID) and then allows travelers at a few high-traffic airports to go thru a quick-screen line (including a retinal scan to verify ID) rather than stand in lines with un-pre-screened passengers. They still get screened, but they “jump line,” sometimes skipping ahead of a hundred or more who are waiting in the regular lines.

Almost predictably, a laptop containing the data of 33,000 applicants (not participants) was stolen from a secured room at SFO. A spokesperson says “it [the laptop] was protected by two passwords” - but that doesn’t tell us whether the information was encrypted, how secure the encryption was, nor why sensitive information would be on a computer that is portable (and thus easy to steal) computer. (It is pretty easy to bypass password security unless the data is also encrypted - I’ve done it myself more than once on client computers where they’ve forgotted a password - takes about 10 minutes.) And we don’t know what other types of information might be on this computer.

Clear is run by an independent contractor under TSA oversight.

One interesting outcome was the comments ABC7 (San Francisco TV) collected - for instance “Clear customers say the sooner the changes are made the better, although no one seemed too worried about the security breach. ‘You’re information is everywhere and people volunteer their information on places like Facebook, on Twitter, on MySpace and stuff,’ … a traveler.” I don’t actually think they understand the breadth of information that was reported to be on that computer - this is information that is to be used in a security screening, not just social security numbers (though those may not have been present), and presumably known only to the applicant - a far broader range of confidential information than most other systems would hold. It just shows that people are resigned to living in a transparent world - probably until they are directly affected, of course.

KTVU reportage on this same story. KTVU also reports “The TSA requires RT service providers and sponsoring entities to encrypt all files containing participants’ sensitive personal information. Noncompliance with such requirements can result in actions including suspension of a program and possible civil penalties.” I have not verified this, and we don’t know the type of encryption that’s required - for instance a password on a ZIP file is probably not very secure, while encryption with a 2048-bit RSA key would be a lot harder to crack.

I earlier reported on “odd” scanning of my driver’s license at a regional airport, to which TSA replied (in comments on my blog) that it was (probably) an ultraviolet light (blacklight) being passed over the license to be sure it was genuine (this process reveals the “holographic” images in the license’s plastic layers). As I said, I was concerned that any scanned information that passed into a laptop computer allowed potential theft of this confidential information. Well, I guess this Clear incident further emphasizes that security information has no business being stored on a computer that can be physically stolen.

I boarded a plane at a small regional airport two weeks ago. And noticed some new and unusual behavior by the TSA screener at the security checkpoint.

After I walked thru the metal detector, he took a small penlike device and scanned it across the name, address and photo on my driver’s license. Slowly. Twice. Which is why I figured he was scanning. At first my reaction was that he was optically scanning the information into this “pen” and that it would be dumped into a computer later on.

Bruce Schneier is a fantastic source of information and particularly the debunking of security and security myths. From what I’ve read on Bruce’s blog, it’s possible that the TSA guy was just running an ultraviolet light across the license to look at the holograms on the license. But my eyes are pretty sensitive to UV and honestly I didn’t see any reflection. (Cool video of Bruce’s Q&A at defcon 15.)

So I’m still working the theory that he scanned an image that would later end up in a TSA computer. (See IRIS pen scanner, or look at what the New York Times reported last year.)

What would happen to that scanned information? Well, if banks and healthcare institutions are any indication, it would likely go (via USB) onto a laptop computer somewhere, later on to be stolen.

I am continuing to research this, but wonder if anyone else has run into this scanning behavior by TSA?

…and I’m not talking about a hacking cough here.

Twice this week, clients or friends of mine have had their web sites hacked. One was hacked for the second time in a couple of weeks.

I can tell a lot from the forensic analysis as I clean up a site. A bit of CSI as it were.

There is one really big problem that contributes a lot to these hacking epidemics. (more…)

I’m going to start a series of articles (and references) on how our governments are watching us.

I’ll start with China, which is of course very much in the news right now for repressive measures it takes against its citizens. Many of you will know already that China monitors and censors Internet (particularly web) users, but may not be aware how widely it monitors its citizens.

This article China’s All-Seeing Eye by Naomi Klein in Rolling Stone, should get you started. Her subtitle is With the help of U.S. defense contractors, China is building the prototype for a high-tech police state. It is ready for export.

China is notable because what we in the U.S. might regard as fundamental freedoms, like the right to free speech and dissent, seem to be viewed as hindrances to social and economic development.