"Clear" Air-Travel Pass Data Stolen From SFO

Kozar_The_Malignant writes "A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised."

How many times does this need to happen

[Gat0r30y]

Before they require hardware based encryption for drives containing this sort of data? It seems completely ridiculous to me that they would keep sensitive data like this on an unencrypted drive.
One word of this: Incompetent.

Directed to the Systems Administrator of VIP, inc.

[gcnaddict]

You've got social security numbers of thousands of people on company laptops and you didn't make it a policy to encrypt everything?

Seriously?

That will teach people not to give out information

[Anonymous Coward]

Who am I kidding. No, it won't.

Re:Security theatre

[boaworm]

Yea, and this also brings some interesting light to the issue with "If you have nothing to hide, why don't you want to provide us with your [biometrics|passport|id|*]" argument.

Refusing to give away address, email, phones, SSID along with fingerprints is almost considered a crime in itself right now, since if you are not planning on terrorist activities, you don't have anything to hide, have you!?

But here, perfectly innocent people suddenly have all their personal information spread to criminal groups or whoever end up being the buyer of this information.

Scary stuff...

Re:Does nobody use disk encryption?

[AJWM]

WTF was data like this doing on something nice and portable like a laptop anyway? I bet it was in an Excel spreadsheet (the database of choice for PHBs everywhere) too.

(And yes, it should have been encrypted.)

Step 1: Encryption

[Spy der Mann]

A laptop containing the unencrypted -

NEXT!!!

Lack of proper management

[ds_job]

Please tell me that there is going to either be prison time or a huge *personal* fine for the CEO of the tinpot company who thought that a lock and key was enough security. I'n not talking about firing the person who left it there or proped the door open to do the vacuuming, but the person at the top who says "Yes, this is cost effective and proper." We need to have people at board level think twice about storing our data so shockingly badly.

Good write up

[Faux_Pseudo]

This might be the best summery I have seen in some time. It has far more usefull informtaion than the linked news story. I want to personally thank the poster for that and suggest we could use a 'goodsummery' tag to balance the 'badsummery' tag that we so often see.

Re:Security theatre

[Cruciform]

The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently.

That might be the point for you, but for the government officials there are other points to consider:

1) Who bid the lowest.
2) Will the company chosen contribute enough money to my/our campaign in the future.
3) Is there a way I can profit from my choice of contractor.

The idea that someone would believe a company is chosen for its actual merits is ludicrous.

Re:Security theatre

[BWJones]

Yeah.... You have nothing to fear except fear itself..... and incompetence. So, just hand your data over to us and we'll verify that you are who you are which really does nothing for national security anyway because there is nothing that prevents someone from getting "cleared", then carrying out a crime later.

Re:Does nobody use disk encryption?

[xgr3gx]

I know really. It's always laptops with critical data.
A laptop should be nothing more than a client to the critical data. (Obviously with proper login and security to connect to whatever hosts the critical data)
Bah! So dumb!

Re:Security theatre

[Anonymous Coward]

The idea that someone would believe a company is chosen for its actual merits is ludicrous.

Well, choosing a company based on something abstract like merits is illegal because it's often used to hide #2 and #3. Price is the only consideration you are allowed. Yes, it's stupid, but it's the way the taxpayer demands it be done.

Honestly, do you think larger corporations are any different? Deals are always given to good old boy friends who will give you something later. It's not even illegal, like it is in government.

Re:Security theatre

[rk]

The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently.

That's the ostensible reason, the one they use to sell it to those who distrust government spending like libertarians, fiscal conservatives and some old-school Republicans.

The real reason is usually to privatize the profit centers, while continuing to keep the cost centers public, so the old boy network can continue to get slopped at the public trough.

I don't get it

[jjohnson]

I don't understand why data like this was on a laptop in the first place. Encrypted or not, it seems problematic to have copies of databases floating around, flying with executives, packaged up neatly in a form that makes it easy to steal (i.e., a freakin' laptop).

What am I missing that I don't get why this database was allowed off the core server that hosts it? Simply from a data integrity standpoint it seems like a bad idea to let multiple copies move around.

Irony

[FrankSchwab]

I guess my question is....

Could a terrorist organization exploit this information to be able to get someone on a plane who wouldn't have been able to before? A fake passport/drivers license in the name of a trusted passenger who knows all the personal information he should. In any kind of rational security process, each and every one of the CLEAR passengers would now be on the TSA Watchlist, subject to extra scrutiny.

Talk about blowback! Talk about (Alanis Morissette be damned) irony! An intrusive system designed to help trusted passengers bypass an intrusive search for terrorists, allows those same terrorists to bypass the search.

Re:How many times does this need to happen

[nasor]

The ridiculous thing, in my option, isn't that people aren't careful with "personal information" - it's that banks, credit card companies, etc. all like to pretend that knowing a social security number magically proves that you are who you claim to be. I shouldn't have to keep my information secret just because it makes things convenient for some company that wants to give credit cards/loans/whatever worth thousands of dollars to people that they have never met, via the mail. That's an idiotic business plan, and it shouldn't be my problem that people try to scam them.

Re:Does nobody use disk encryption?

[cream wobbly]

Screw disk encryption. The data should not have been on the laptop in the first place. It should have been in a secure location, reached by secure connections.

Then if the laptop is stolen, the most the thief will get is the method by which the data is reached, and possibly the IP of the server. Because nobody saves usernames and passwords, right?

Right?

In case you were wondering...

[rickb928]

You can NOT make this shit up.

I wouldn't be fired if this happened to my laptop. I would be charged, sued, and ostracized, and find a new line of work. Probably with the phrase 'biggie-size' involved.

Almost as ludicrous as electonic voting...

Re:How does this system improve security, anyway?

[nasor]

That was my first thought as well. How do they know that a terrorist wouldn't just add himself to the list? Or, if that's not possible, simply impersonate someone who is on the list? Since apparently the list of all 33k people is now floating around, they would have plenty of choices of people to impersonate.

Re:Directed to the Systems Administrator of VIP, i

[Aliencow]

Like the sysadmin really had a say in this. He probably asked for that a thousand times.

next time...

[harvey the nerd]

One can hear it already, "we encrypted it, it'll never happen again". Next time, "its okay, we encrypted all the records with 1024 bits" and then have to admit the key was on a sticky note over the screen of the stolen laptop or in an attached thumb drive. Clear's name is now Mudd but the whole "airport security" business is a dangerous hoax (constitutionally and economically, too).

It will be interesting to see the fallout from this episode of "Security Theatre".

Re:Lack of proper management

[oyenstikker]

CORPORATION, n. An ingenious device for obtaining individual profit without individual responsibility.
- The Devil's Dictionary

Where are the Corptards now?

[Anonymous Coward]

So CorpTards(tm) where's all your blather about businesses being able to run things more efficiently/securely than government.

Corps can often do things cheaper, but that's because they usually cut corners to save on costs. Just take that from someone who has worked for them and knows what they're like.

(Anonymous Coward is one of the foremost experts on corporate culture)

Re:Security theatre

[Intron]

Happens all the time. Then another corporation buys all their assets for cents on the dollar, the stockholders get screwed, and surprisingly, the new company is run by the same guys who ran the old company.

Get rid of these bozos NOW!

[sribe]

OMG! The only, ONLY appropriate response is to temporarily shut down the program, fire the contractor, ban them from future work on this, put it out for bid again and start over.

Now they'll encrypt it...

[EEBaum]

$50 says that they'll keep the key to the encrypted data on a post-it attached to the computer, or use "password" as the password, or have a file on the desktop called "key to encrypted data".

Make it a punishable offense.

[MaWeiTao]

I don't understand why there aren't penalties for this sort of thing. The way I see it this qualifies as criminal negligence because the ramifications for an individual of having their identity stolen can be severe.

If lose of personal data is somehow attributable to negligence on the part of the company, in this case the lack of encryption and maybe not securing the laptop properly, the company should be penalized. The most obvious would be a fine; lets say $10,000 for each account.

My bank, or companies they do business with have managed to lose a significant amount of customer information, not once, but twice in the past year. They mailed out notices and provided customers with some bullshit free access to credit monitoring for 12 months, later extending it to 18 or 24 months. And that's that, it's out of their hands.

But then what the hell do politicians care? With financial institutions like Countrywide giving out extra-low interest rate VIP loans to congressmen they have no incentive whatsoever to look out for our best interest.

Re: PHB

[Phrogman]

I expect the required rules for security of the data were likely in place and applicable to most employees. It would take a special kind of stupid to not have some security rules.

But those rules seldom are applied to upper echelon management who can simply say they want data X in a readable format (probably an Excel spreadsheet) put on that laptop for their trip etc. The higher you are in an organization it seems the less likely you are to think the rules apply to *you*.

Either that or this "theft" is a convenient way to explain how the data got into the hands of a commercial enterprise that purchased the data via a bribe on the side.

In any case, the CEO's of the company all the way down to the employee who lost the data should all be fined and given jail time. I know that won't happen, but it is what should happen.

Re:Security theatre

[maxume]

So your argument is that because some things that are called security are necessary and beneficial, anything that is called security must be necessary and beneficial?

Re:Security theatre

[demachina]

"Price is the only consideration you are allowed. Yes, it's stupid, but it's the way the taxpayer demands it be done."

That USED to be the only consideration before the Bush administration came to town, that and if you had a token minority or woman in your executive suite you could win by exploiting affirmative action.

But, the Bush administration has been constantly sole sourcing and otherwise steering contracts to friends and contributors for 7 and a half years. There is a well oiled machine of Republican connected lobbyists who hooked companies up with a fast path to contracts. Karl Rove apparently tried to turn the entire executive branch in to a political tool where government contracts were being steered to "good Republican" companies and as tools to get Republicans elected for bringin home the bacon to companies in their districts. Many of the contracts in Iraq, both in supporting the military and rebuilding Iraq(rebuilding it very badly it turns out), were done that way.

Maybe its illegal but if no one enforces the law what does the law matter. The Bush administration had complete contempt for the law in little things like torture, spying on Americans, hiring and politically motivated prosection in the DOJ etc, what makes you think they care about it in government contracting. If they dominated the executive branch, including the DOJ, and the Congress, which they did from 2000-2006 they knew no one would investigate anything, or enforce any law. Some private citizen or public interest group would've had to blow the whistle. When they've tried the Federal government has been very effective at smacking them down. I recall a number of instances where Federal contract monitors and auditors have questioned the performance and billing of politically well connected contractors, and if they didn't shut up and rubber stamp the payments the Bush administration just fired them and put someone in the job who would stop asking questions. There was an instance of this reported a couple weeks ago.

Even since the Democrats regained control of Congress the Bush administration has been very good at frustrating every attempt to investigate all their law breaking.

If the Republicans had managed to stack the courts a little better, and hadn't been so incompetent and corrupt that they started losing elections again in 2006 the law would have been pretty much history in the U.S.

Re:Security theatre

[XenoPhage]

The key is to have the requirements written "properly".

And that's part of the problem. The government, in many cases, outsources because it does not have the expertise to do the job. Not having the expertise also manifests itself in the lack of details in the requirements document. Just requiring a security company that can secure stuff isn't good enough, you need to elaborate. In many cases, you may need to elaborate into details like what encryption algorithms are usable, what are not, etc. Stuff your average government lackey would know nothing about.

Re:How does this system improve security, anyway?

[smellsofbikes]

You've hit upon the actual problem with this whole scheme: if you build a two-tier security system (whether you call it Clear or racial profiling or whatever) you annoy the people in the lower tier because they're being 'profiled' for extra checking -- they're false positives and they resent it and tell you that you're a racist or something.
But the reason it's a Very Bad Idea isn't because of them, it's because of the false negatives, the people who figure out how to get into the less-checked, higher tier. If you're a nogoodnik and you have nogoodnik associates, you just keep trying, using different associates, until you get some people into the higher-tier group, and once they've managed to get through the system once or twice, you now have enhanced access. It's like the social equivalent of a software backdoor, and it's why two-tier systems are not only irritating but can make a system less secure.

IT is facing the same problem EVERYWHERE.

[ErichTheRed]

I'm not surprised this happened...well, maybe I'm surprised that a security company would leave that kind of data on a laptop.

Fact is, this happens everywhere and it's going to get harder to manage. Unless you start taking people's laptops and even their desktop PCs away from them, you'll never stop it. Add to that the fact that you can get 16 GB flash drives and 80 GB iPods. The only ways to stop this are to (a) encrypt data, or (b) take users' toys away. Neither happens without a huge fight.

Encrypting laptops is a really big challenge. If you let users do it themselves (using vendor software, Windows EFS or others,) then they hold all the encryption keys and could make it impossible for you to get the data back in the event they get fired or quit. Implementing enterprise encryption is another road, but has its own set of problems. You have to have a full-time admin to keep the public key infrastructure up, revoke and reissue certs, etc. You also need to spend a large sum of money -- RSA and others make huge bucks every year selling enterprise-level disk encryption software. This is a very hard fight to win until something bad like this happens. And even if you get the software purchased, convincing the execs that you also need someone to look after it is tough.

Plus, you cannot stop a developer from taking the customer database home on a 1 TB disk drive to write/test software against. Unless you're disciplined enough to scrub any dev data of any customer information, it will be used. Even if you tell them they're fired if they take home data, being fired isn't the permanent black mark it used to be. Not everyone's a professional.

So, either completely limit access to data, or take toys away. Everything else is just a band-aid. I odn't mean to sound defeatist, but unless you give employees some incentive to protect customer privacy, they won't do it. Security is a major pain in the butt...even I think so. The key is to make security "not a pain."

Re:Targeted theft?

[bugs2squash]

What's less damaging ?

oops - we fucked up and gave away your data, sorry, won't happen again...

or

oops - the whole basis for us being here at all is undermined because the process of background checking as a way to pinpoint troublemakers is fundamentally flawed. The background checks we make on our own staff are clearly as worthless as the ones we run on you.

I wonder what checks they do run anyway - I bet most of them are focused on ensuring that the check for $128 doesn't bounce.

Firefox is probably more picky about self-signed CA certs than these guys are about terrorists. Good job Clear have the TSA to indemnify them on that one.

Re:Security theatre

[JCSoRocks]

What is it with planes? The only reason planes were so effective in 9/11 is because they TOOK IT OVER and FLEW IT INTO A BUILDING. That sort of thing won't happen again. I have a feeling everyone on the plane would fight it. Continuing to secure them like they're bloody fort knox is ridiculous. If the only reason we're worried about it is the potential for loss of human life... we're wasting our time. Why bomb one plane when you could blow up a whole airport terminal? Anyone remember Oklahoma city? Much more devastating than just a plane blowing up in mid-flight.

Don't get me wrong. I'm all about security where it's needed and where it's appropriate. I'd prefer not to be killed by a terrorist just as much as the next guy... but we've got to maintain some perspective here. You can't stop someone willing to commit suicide from killing people. Look at that guy in Japan that ran over people in a mall with a truck and then started stabbing people. He was armed with a KNIFE.

Throwing away our rights for the illusion of security depresses me.

Too bad they didn't "make available" MP3s instead

[joe_n_bloe]

Unfortunately there's not a mouthpiece for a giant multibillion dollar industry available to sue people who "make available" personal information.

Nor are their investigators roaming the internet making warrantless searches for offenders.

Nor are there lobbyists sending Congressmen on junkets to ensure that maximally favorable and punitive laws are passed.

And when the government serves up your personal information, even through a contractor, you usually can't sue anyone, and if you do, it takes most of a decade. And you definitely can't bully the government for a settlement.

As usual, it sucks to be a plain old citizen.

Re:Security theatre

[Anonymous Coward]

Nice to see the almost automated partisan knee-jerk moderating system is still working.

Bury my posts as trolling as fast as you can. It's not /. it's digg!

I was going to mod you troll, but you genuinely seem to not understand the moderation, so I thought this might be more educational.

Your posts are moderated as "troll" because your argument is poorly reasoned, poorly expressed, and wholly inflammatory. You fail to address the claims of "security theater" (ie, why identity verification increases safety of travel), and instead provide a fallacious and derogatory argument.

Your blaming this on partisanship only demonstrates a total lack of cognizance of your churlish use of logical fallacies to further a point, and moderation as "troll" is well deserved.

This is slashdot, not digg, and I hope that we have the capability to hold discourse to a higher standard.

Re:Security theatre

[Muad'Dave]

Asking someone to show ID to get on a plane seems reasonable to me.

How does knowing a passenger's identity increase your safety aboard an airplane? I'd rather allow anonymous travel and require mandatory pat-downs than believe I'm any safer because some government hack knows the name of the guy that's willing to die so he can kill a few others.

So much for not needing 'papers' to travel inside the US.

Real-ID resistance

[Plugh]

Now perhaps a few more people will understand why we fought so hard to ensure that New Hampshire will not participate in the Real-ID system, or any de facto national ID card that may follow. [freestateproject.org]

Re:Security theatre

[dgatwood]

None of the Sept. 11th hijackers were in the U.S. illegally. All had legitimate forms of identification, and none used false identification. I doubt any were even suspected of terrorist ties.... We ask people to show ID as they get on airplanes for one reason and one reason only: to make people who can't see through the new sham measures feel safer.

Want to make people actually safer?

• Construct a non-privacy-invading millimeter-wave scanner. Build it in such a way that everything that passes through would get hit with a beam, but not in such a way that that you can see pictures, i.e. much blurrier, more scattered, more regional in nature. Sort out the data through basic math about the composition of the human body. See way more metal than you would expect (regardless of whether it is ferrous), set off red flags. Detect massing of large polymers, set off flags. And so on. Do this with computers, not through people watching a screen. Then, let the computer identify what general vicinity set off red flags with lights on a board with the shape of a human drawn from a couple of angles and ask them to empty the contents of their shirt pockets.
• Add mass spectrometry portals to detect dangerous chemical residues.
• Add shoe millimeter-wave machines that don't require passengers to remove their feet from the shoes. Step in, step out.
• Move all parking and drop-offs to a minimum of 1500 feet from any area where people congregate (terminal buildings, etc. Use conveyor belts to get people into the terminal. Have the mass spectrometer portals and a security person in an atrium at the midpoint of the belts. This should be a fairly quick procedure, so you shouldn't build up a line of any significance. You're just looking for bomb residue to reduce the risk of somebody doing a suicide bombing attack on the terminal.
• Make all personnel subject to the same security screening as passengers---no waving a badge and getting a quick pass through security.
• Figure out why people are doing these quick pass things and fix security so that they are not necessary, then give them the boot. The biggest point of security risk from an individual passenger safety perspective is waiting in line for the security checkpoint.

QED

[bill_mcgonigle]

I have a feeling everyone on the plane would fight it.

You have a feeling? This was proven an hour and twenty minutes after the first plane hit the Twin Towers, by ordinary Americans correctly assessing the security situation over a field in Shanksville, PA.

Then we hardened the cockpit doors to make double-sure. Everything since then has been a distraction.

Re:Security theatre

[dgatwood]

As a total dollar amount, sure, the U.S. seems to give a lot. I used to think that was pretty good until I saw the cold, hard math. Total dollars is just not a very interesting metric when you consider how wealthy the U.S. is as a nation. Per capita, the U.S. provides much less disaster relief money than any of the other major world powers, and as a percentage of our GNP, it's even more laughable.

Remember the parable of the widow who gave her two coins in the synagogue. People perceive that we a nation give of our excess while so many others give in spite of their need. It's like a billionaire giving $500 at a charity auction. Even if it is more than all the other people combined, if that was his only donation to any charity, people will still call him stingy. The poor woman who gives the two pennies that would have helped help feed her family... she is the one we should aspire to imitate as a nation.

Another issue...

[lord_sarpedon]

It concerns me that credit card numbers and social security numbers are these all-important pieces of "your identity" that must be carefully safeguarded at all costs. Nobody can know! Except all those entities that ask for then. Like these 'Clear' guys. And exactly 9,267 waiters.

Proof of identity that is equivalent to the identity itself, in entirety, hmmm? Why can any number of people impersonate you, but are trusted not to? Why can your identity be "stolen" from a third party?

I cry for the day when society at large discovers what the sweet loving fuck a private key is, and perhaps even a respectable comprehension of what defines "secure." Security is not so just because your government and the man in the uniform assures you that things are _better_ now, or even simply that the status quo is _perfectly fine_. It's a small subset of your typical Americans (in my experience) that when presented with the latest breakthrough in airport security, have a response beginning with "Couldn't they still just..."
Most are sheep. And a lot of the smarter ones still feel just a teensy bit better.
It doesn't take a hacker's mindset to poke holes in the elaborate security handwavings presented day to day. Do they not care?

Identity is a funny thing here. People are scared shitless of a big brother style national ID card, but line up for state drivers licenses, of which fakes are made plentiful to satisfy the desires of even the most low budgeted of teenagers. Supposedly the government knows you exist if you have a birth certificate. SSN supposedly optional, but I'd love to see someone try. But the government as well as everything private seems to forget who you are from building to building - each asking you again for that same basic info. In practice most things are just as anonymous as they are online. Go ahead, lie about whatever you want. See if they notice. I'm Nat Tellin half the time.

Think for a moment about how you would create a 'new' identity. How terribly possible it is to simply disappear, and pop up again somewhere else as a new person. Bonus points for looking totally benign under scrutiny - perhaps you 'immigrated' from Canada using some thin mask of false credential. Just as long as you keep telling the same lies to all the right people, really. At what point have you succeeded? Genuine but falsified photo id? SSN? Credit history?

All that defines you is ability to provide a series of opaque alphanumeric values that you freely give to most anyone, but are next to impossible to verify.