www.schneier.com/blog/archives/2008/08/laptop_with_tru.html
Comments I noticed the Clear kiosk when I was standing in a security line a few weeks ago. The main thing I noticed was that I was through the regular line relatively quickly (less than 10 minutes). So, for the privilege of shaving 10 minutes or so off your wait in that particular line, you get to pay $100 annually and have your personal data stolen. You know, I actually feel kind of sorry for the poor suckers who fell for this nonsense. I hope cutting in line makes up for all the work they'll have to do and the money they'll have to spend fighting identity theft if this data gets sold. By the way, when can we stop having "trusted traveler" and the like where the average Joe has to prove he's innocent and start having "trusted official" where it's up to the officials to prove they're A) competent and B) not on the take?
August 5, 2008 12:39 PM Apparently TSA's requirement that Registered Traveler providers use data encryption was poorly enforced and has no teeth other than suspension of new enrollments. It still amazes me how many people don't grasp that a little drive encryption can change their exposure from tons of bad press and millions of dollars in penalties and cleanup to $2,000 to buy, image and deploy a replacement laptop. Before we went to enterprise-wide mandatory drive encryption on laptops and desktops about four or five years ago, our last lost laptop cost about three million for all of the consumer disclosures and credit report monitoring for the affected customers.
if subscribers aren't any more "trusted" than anyone else, then... why do they have to give "sensitive personal information" in order to sign up? I suppose one could make a business case that Clear should identify their customers uniquely so that every "John Smith" must pay his (or her) own fee, but I suspect it's just the old habit of many "Security" types: gather all possible information about other people. Ask them why, and they give you a blank look and say "Security".
August 5, 2008 12:44 PM Perhaps corporations and government entities need to adopt strict policies about storing personal data on laptops and other portable hardware; it seems like a simple solution to a fairly common problem. Or at least ask themselves if it's really necessary to carry around all this data.
August 5, 2008 12:54 PM I hope this means all the Clear enrolees will get /extra/ screening. Their identity might have been stolen, so anyone claiming to be on the program could be a terrorist! I just want to see another TSA program be an obvious, public failure.
html Anyway, it should be noted that 'Clear' is a private service, not directly associated with the TSA, and the link above is to do with border guards, so there isn't necessarily any direct connection aside from laptops sprouting legs and wandering off...
August 5, 2008 1:24 PM @Bryan True, but TSA doesn't exactly have a stellar record at encrypting sensitive data either. If they don't, then why should private service providers?
August 5, 2008 2:13 PM That laptop went missing for a reason, presumably to take it somewhere to copy off the data. It was "announced" as returned to take the heat off the vendor (of course, speculation on my part).
August 5, 2008 2:14 PM Interestingly, two months ago when I was at SFO I saw the Clear people doing signups, and actually thought to myself, "that's not a very secure setup they've got. I'm sure that laptop has interesting information on it, like a list of people that won't get as much TSA scrutiny."
In my reader, the story says "TSA: Laptop with Clear applicants' info missing" but when I click on it, I get a story that says "TSA: Laptop with Clear applicants' info found". The CBS 5 story that Bruce links also now indicates the laptop was found. Interesting that the laptop was found so quickly after the story was published. I also find it interesting that both SFGate and CBS 5 have apparently updated the original news item instead of issuing a new one.
suprisingly they were happy to share details to a complete stranger about the incident. "Oh yes, it was our laptop in the office but there's no need to worry because it is double-encypted." I'll spare you the details, but believe me it was funny. The best part was at the end when they asked me to sign-up for clear today. Felt like a scene from WallE -- welcome to Buy and Large security.
August 5, 2008 2:38 PM why such thing as "trusted traveler" program exists in the first place. smells like privatization of something that is meant to be public good. good software for travel pattern analysis could act on travel records alone to establish one as frequent traveler.
August 5, 2008 2:49 PM Ironically enough, the new 'seize-a-laptop' border policy would get someone traveling with double-encrypted data to be stopped at the border...
August 5, 2008 3:04 PM Did anybody ever find out what "personal data" was on the computer? I thought it was the access control computer, containing the goofy biometric data they use to make sure you're in the program. It's not obvious how to turn a fingerprint hash of retina scan hash into identity theft. Clear is a membership club, you're buying access to a security line that has fewer people in it. It's not less security cloak-and-dagger, it's just less waiting for the other folks in line to go through the TSA-approved security incantation. Bruce says "None of this is security" and it's likely Clear would agree. They are selling the elimination of other people from the queue in front of you. That's not a security function, it's a time-waste reducing function. While we might like to see the TSA stop wasting everyone's time, that would be a different blog topic.
com/music/Border_agents_may_become_tools_for_the_RIAA_ MPAA_and_SIIA "Under ACTA, border patrol agents will be able to seize peoples ' laptops, iPods, and other electronics which they suspect contain illegally-obtained media. If the border patrol thinks they've found such media on the devices, they are authorized to DESTROY them at their DISCRETION." so kid you have the new hip hop track let me see your 400$ ipod *steps on it* you couldnt have bought that.
August 5, 2008 5:48 PM "officials are working to determine whether any of the data was compromised" How would they be able to tell? If I copy the files for off-line cracking, no trace of the copying is left on the original disk. After all, this is fundamental to computer forensics: always copy, never modify the original.
August 5, 2008 6:07 PM Post a comment Name: Real names aren't required, but please give us something to call you. Conversations among several people called "Anonymous" get too confusing. Email Address: E-mail is optional and will not be displayed on the site.
RSS 20 (excerpts) Crypto-Gram Newsletter If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
|
http://csua.com/feed/