Flaw in TSA website exposed thousands of people to possible ID theft.

The Transportation Safety Administration (TSA) is a friggin’ joke. Not only are the engaging in security theater in our airports, but they managed to actually make people less secure by running a website that had basic security flaws:

The web site was hosted on a commercial domain by a contractor and did not use SSL encryption for submission forms that transmit sensitive identification information. The few pages of the site that did use SSL used an expired certificate that had been self-signed by the contractor. The lack of proper encryption was brought to the attention of TSA last year by security researcher Chris Soghoian, who noted that such “major incompetence” could have been avoided by basic oversight.

“At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a web site that violated basic operating standards of web security and failed to protect travelers’ sensitive personal information,” says the report summary. “These deficiencies exposed thousands of American travelers to potential identity theft.”

Te site in question was the traveler redress web site where you get sent if you have a complaint with the TSA. I suppose risk of ID theft is what you get for having the audacity to complain about such a fine and upstanding department of the government. They have an out, though, the TSA itself didn’t directly make the website:

The web site was created by Desyne Web Services, a web marketing firm from northern Virginia whose clientèle includes the FBI, USA Today, and George Foreman. TSA awarded Desyne a no-bid contract valued at $48,816 for development of the redress system. According to the report, the Request for Quote (RFQ) issued by TSA prior to making the deal stated that Desyne was “the only vendor that could meet the program requirements.” The report notes that Nicholas Panuzio, the TSA employee and technical lead who authored the RFQ, had previously worked for Desyne and had known the owner of the web design company since high school—a serious conflict of interest.

Following the revelation of security vulnerabilities in the system, TSA transferred the site to a Department of Homeland (DHS) Security domain and notified users who submitted information through the unencrypted form that they had been exposed to risk of identity theft. The committee’s report notes, however, that TSA never reprimanded Panuzio or imposed sanctions on Desyne. In fact, the report says that Desyne continues to operate several major TSA web sites and has received over $500,000 of no-bid contracts web services from TSA and DHS.

What’s this? Conflict of interest and corruption within a creation of the Bush Administration? Say it ain’t so! The TSA needs to be disbanded and the functions it performs turned over to some other more competent group. Like, say, The Three Stooges.