Flaw in TSA website exposed thousands of people to possible ID theft.

The Transportation Safety Administration (TSA) is a friggin’ joke. Not only are the engaging in security theater in our airports, but they managed to actually make people less secure by running a website that had basic security flaws:

The web site was hosted on a commercial domain by a contractor and did not use SSL encryption for submission forms that transmit sensitive identification information. The few pages of the site that did use SSL used an expired certificate that had been self-signed by the contractor. The lack of proper encryption was brought to the attention of TSA last year by security researcher Chris Soghoian, who noted that such “major incompetence” could have been avoided by basic oversight.

“At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a web site that violated basic operating standards of web security and failed to protect travelers’ sensitive personal information,” says the report summary. “These deficiencies exposed thousands of American travelers to potential identity theft.”

Te site in question was the traveler redress web site where you get sent if you have a complaint with the TSA. I suppose risk of ID theft is what you get for having the audacity to complain about such a fine and upstanding department of the government. They have an out, though, the TSA itself didn’t directly make the website:

The web site was created by Desyne Web Services, a web marketing firm from northern Virginia whose clientèle includes the FBI, USA Today, and George Foreman. TSA awarded Desyne a no-bid contract valued at $48,816 for development of the redress system. According to the report, the Request for Quote (RFQ) issued by TSA prior to making the deal stated that Desyne was “the only vendor that could meet the program requirements.” The report notes that Nicholas Panuzio, the TSA employee and technical lead who authored the RFQ, had previously worked for Desyne and had known the owner of the web design company since high school—a serious conflict of interest.

Following the revelation of security vulnerabilities in the system, TSA transferred the site to a Department of Homeland (DHS) Security domain and notified users who submitted information through the unencrypted form that they had been exposed to risk of identity theft. The committee’s report notes, however, that TSA never reprimanded Panuzio or imposed sanctions on Desyne. In fact, the report says that Desyne continues to operate several major TSA web sites and has received over $500,000 of no-bid contracts web services from TSA and DHS.

What’s this? Conflict of interest and corruption within a creation of the Bush Administration? Say it ain’t so! The TSA needs to be disbanded and the functions it performs turned over to some other more competent group. Like, say, The Three Stooges.

2 thoughts on “Flaw in TSA website exposed thousands of people to possible ID theft.

  1. Oh, but I feel sooo much safer knowing that those vicious little old blue-haired ladies can’t terrorize us by bringing their knitting needles on board!  In fact, think that we should have to eat our mini-meals with our fingers so that no one can hijack the plane by holding a spork to the pilot’s throat!

    Seriously, though, a no-bid contract, but they charged less than $50K?  With the cost of living in the DC area?  WTF???  If you’re gonna milk the cash cow, use both hands, fer’ cryin’ in yer’ beer…  Even so, with $50K, you can certainly afford something a little spendier than GoDaddy and a home-baked SSL cert.

    The longer this farcical cluster-@#$%^&* drags on, the more I start to sympathize with Darth Vader’s “solution” for incompetence in his Admirals…

  2. This shit this gov is doing is amazing. I say we stop with the no-bid contract bullshit our government loves so much. Just doing that would save many headaches and pains.

    The longer this farcical cluster-@#$%^&* drags on, the more I start to sympathize with Darth Vader’s “solution” for incompetence in his Admirals…

    LOL! Like a good friend once told me, “If our government handled Spammers the same way China handles contract screw-ups, there would be no more American spammers.” Apparently there was a case where a guy was hanged for screwing up some part of a contract, just a few years ago.

    Shit we could use the same thing here, even for other areas then spam.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.