Posted by Seth on December 9, 2009 under Screening Management SOP, TSA | 
I suppose that it was inevitable that the TSA would eventually fall on their face and do something like this. “Secure” documents have a habit of slipping out every now and then and the TSA has been around long enough at this point that the odds were no longer in their favor. What is interesting to me is how this particular action actually blossomed into a full-blown media event. A TSO shows up to work with a gun in his pocket and the media eventually gets bored and walks away. But this is a juicy one. It has “secrets” in it and who doesn’t like discovering a secret?
Watching the story grow through web statistics has been interesting for me over the past couple days. This isn’t the first time I’ve posted about the TSA doing something stupid but it is most certainly the first time it has grown legs. So just exactly how did it happen? Here’s the timeline as best as I can recreate it.
Around 3pm on Saturday, December 5th a link was posted on FlyerTalk.com to the FBO.GOV website where there were details of a contract for screening services in Montana that had been out for bid (the FBO link is dead now; there is a cached copy here). In that bid package there were a number of attachments including two different “redacted” copies of the TSA’s Screening Management SOP. The copies were actually slightly different but the general content was substantially the same. That post was out there for almost 24 hours before I stumbled upon it and decided to see what was in the document. Three clicks later I was reading a “redacted” copy of the SOP, something that the TSA meant to put online. About 10 minutes and a couple more clicks later, however, I was one of a couple folks who realized just what we were looking at and what the situation was. It took me another hour to get a blog post together and at 4:16pm EST on Sunday afternoon the post went online.
My blog doesn’t have all that many readers regularly so I’m honestly not really sure how it went from there. What I do know is that someone thought it was worthy enough to put a link up on http://news.ycombinator.com/, a self-described “Hacker News” social media site. From there the story made it to the Wired Threat Level blog as well as BoingBoing.net (two sites that I really enjoy, FWIW) and Jaunted. On Monday The Register in the UK picked up the story as well, noting how foolish security through obscurity generally is in the process. Chris Elliott, a syndicated travel writer also picked up on it during a chat on Monday afternoon and posted a blurb about it on his blog. US News & World Reports had a piece as well.
At that point the story probably could have died. But it didn’t. Tuesday saw the story picked up by SlashDot in the morning and Gothamist in the afternoon. Fortunately the site is hosted by systems that can handle the resulting SlashDot effect and the blog has stayed online.
And then, it went mainstream. The Cleveland Plain-Dealer had an article out on the story on Tuesday afternoon. ABC’s World News Tonight led off their broadcast with the story (and some really bad computer stock images). The Washington Post followed up on the story as well. That story was published late Tuesday evening online and is on the front page, below the fold, of today’s print edition. The Associated Press put together a piece that was been picked up by a number of outlets on Tuesday evening, including USAToday, Yahoo! and MSNBC.
Overnight Tuesday night/Wednesday morning the BBC got into the game and USAToday had an original piece in their Today in the Sky blog. It was on page A22 of the dead tree edition of the NY Times, running the AP wire piece as well.
Yeah, to say that this one has legs is a bit of an understatement.
I’m sure I’ve missed a number of the sources covering the story at this point. The good news is that this is out there. Hopefully the correct questions are asked as a result of the leak and hopefully we can move towards a system that actually represents security rather than security theatre. I’m not holding my breath. Oh, and I’m still waiting to hear back from the TSA on a number of open questions about this issue. Conversations with elected officials will be my next step as hopefully they can actually compel the TSA to answer the questions that they seem likely to brush me off on.
Posted by Seth on December 8, 2009 under Screening Management SOP, TSA |
I’m not a legal scholar. I didn’t even stay in a Holiday Inn Express last night. But I am pretty good about spotting what appears to be a felonious act, especially when it jumps off the computer screen and smacks you right in the face. And after reading through the various non-responses from the TSA regarding this leak one bit seems to stand out more than the others. The TSA appears to be playing down the breach in part because:
The version of the document that was posted was neither implemented nor issued to the workforce.
That’s the direct quote from the TSA’s blog entry regarding the matter. The problem with that statement is that the document appears, in fact, to have been issued. At least once.
In May 2009 the Identity Project posted on their website the results of a Freedom of Information Act (FOIA) request that they originally submitted in June 2008, right around the time that the document in question is dated. The document that was returned in reply to the FOIA reads 100% the same as the document uncovered over the weekend. It has the same revision number. And it has the same date. It is very, very difficult for me to believe that there is any way that document previously released to the ID Project is not the exact same document that was published on the fbo.gov website and then found to have been improperly redacted.
 |
| The FOIA document |
 |
| The fbo.gov document |
What does that mean?
Either the TSA is lying about the fact that this document was never actually implemented or they issued a false reply to a FOIA request. They’re stupid or felonious. I wonder which one.
I reached out to the TSA Public Affairs office and even tried to get an answer from their “breaking news” duty officer. I didn’t get very far in either of those efforts. But I know that a number of major news organizations are covering the story now and I’ve been feeding bits of information to a few of them. Hopefully one or more of them will be able to push the TSA harder for a legitimate answer than I can.
(For those concerned about possibly having been exposed to SSI documents but reading here anyways, both bits above are considered public and not really SSI in any way.)
Related Posts
Posted by Seth on December 8, 2009 under Screening Management SOP, TSA |
Since the discovery and publication of the non-redacted TSA Screening Management SOP this past Sunday the TSA has been working to clean up the mess. Hardly a surprise and you’d think that they would be used to such situations by now. They’re moving with amazing speed, actually. First, they managed to get the document offline in relatively record time on a Sunday afternoon. Then they were able to actually get a public statement out to inquiring press within about 5 hours – more than an hour per paragraph and the last one shouldn’t really count since it is just the same closing they use every time something comes up. And then they realized, and mentioned in a post on their blog yesterday afternoon, that the version in the wild was never actually implemented. Or at least that is what they’d have us believe.
Sure, I’m willing to go out on a limb and say that they’re telling the truth on that aspect (and believe me, it is a stretch to go there). That version was never implemented nor was it ever distributed to the workforce. Fine. But it was used to define the job responsibilities of a multi-million dollar annual contract (the deal was signed for just over $11MM) for a company that will be performing screening in seven Montana airports. So either that version is substantially similar to the actual SOP in play at that time (it is dated May 2008 and was posted online in March 2009, a span of 9 months) or the contractor was asked to bid based on false specifications. I don’t know which is worse. Incompetence or fraud.
It is also interesting to note that the time span that the document in question was supposedly not implemented roughly matches the time span from when it was posted online until now. In the recent span the TSA claims that six new version have been published and distributed to their workforce for implementation. Yet in the previous nine month window apparently not too much changed. At least not enough for the TSA to be concerned about the requirements they were asking contractors to bid on.
I’ve reached out to the TSA for clarification on this issue and I’ll share what I get. I’m betting on a lot of “no comment” but I’m hoping for a surprise.
Related Posts
Posted by Seth on December 7, 2009 under Screening Management SOP, TSA |
Apparently the TSA really believes in the guidance provided by mothers everywhere in the winter: multiple layers will keep you warm and cozy. I reached out to the Office of Public Affairs this morning regarding the accidental release of the non-redacted Screening Management SOP document. The initial call received a “no comment” with a promise of follow-up. Apparently the copy-and-paste crew were double checking things for quite some time because the eventual answer I got from the OPA wasn’t particularly useful:
The Transportation Security Administration (TSA) has become aware that an outdated version of a Standard Operating Procedures document was improperly posted by the agency to the Federal Business Opportunities Web site wherein redacted material was not properly protected.
TSA takes this matter very seriously and took swift action when this was discovered. A full review is now underway.
TSA has many layers of security in place to keep the traveling public safe and to constantly adapt to evolving threats. TSA has put appropriate measures in place to effectively screen passengers at airport security checkpoints nationwide.
Yup, it is all about the layers. The layers will protect you.
Sure, they had to revise the opening paragraph of the statement but the rest of it is boiler-plate and pretty worthless. Sadly, it seems that this is likely to be the last of their comments on this gross breach.
Sure, some of the content is likely outdated. I get that it isn’t the most current version of the document. The information about selectee screening and exemptions is fun to read but since most selectee designations went away earlier in the year it isn’t quite so relevant. But knowing the specific thickness of wires that will and will not show up on the x-ray machines seems like something they probably didn’t want out in the open. Ditto for the process by which they test the calibration of the magnetometers with pseudo-guns. And I’m betting that most of that content is still current, even if they tend to lead the conversation in the other direction.
Nothing new, really. They screwed up and they’ll take care of it internally. I wonder if they have the cojones to actually charge someone with leaking SSI information. They had no compunction about prosecuting a guy who shared information that was only deemed classified after he shared it. This one was marked up pretty good on every page. But, of course, it “is an internal matter” and we just have to trust that they’ll do everything correctly to follow up. Just like we were supposed to trust them before despite the fact that they’ve done nothing to earn that trust.
The security theatre that the TSA performs is a joke and their internal enforcement seems to be a joke as well. Hardly a surprise.
Related Posts
Posted by Seth on December 7, 2009 under Screening Management SOP, TSA |
It is amazing how time can flow in the federal government. The TSA Screening Management SOP document that I posted about yesterday had been online since March. Sure, apparently not many people knew about it and even fewer knew that it actually contained the content that was assumed by TSA’s legal department to be redacted. Once that was noticed, however, the proverbial cat was out of the bag. Apparently having the document online actually wasn’t that big a deal. Properly redacted it was no longer considered SSI and was useful for the purpose of its original publishing – to allow contractors to bid on providing screening services for airports in Montana.
But once the lack of redaction was exposed the gears of government started to turn with great speed. Just hours after the reports started circulating on the internet the file was gone. From a Department of Commerce website. On a Sunday evening.
Who says that the government is glacial?
Seriously, though, apparently they are concerned about the general public knowing the correct procedure for TSOs washing the table and changing gloves following a positive reading on the ETD machine. Or the frequency with which the black-light and loupe are supposed to be used in the screening process (here’s a hint: it is WAY higher than what I’ve ever experienced at an airport). Or the list of folks exempt from the selectee screening even if their boarding pass is noted as such? Actually that last one is a pretty good read (Section 4.3.15 (B)).
The good news is that plenty of people have copies of the document, including WikiLeaks.org and Cryptome.org. The version available from the latter is actually quite nice since it has the black boxes removed for easier reading. So the original link I shared is dead but there are plenty of other sources out there.
I’ve put in a call to the Office of Public Affairs for a comment on the release and have thus far been stonewalled. I’m planning on calling back later this afternoon in an effort to get something – anything – from them. We’ll see how that goes.
Related Posts
Posted by Seth on December 6, 2009 under Screening Management SOP, TSA |
When the TSA make mistakes this egregious it really isn’t all that hard to pick on them.
The latest is that their Screening Management Standard Operating Procedure is published on the internet. I actually like that. I don’t think that security through obscurity is a good idea. Of course the document is marked SSI and includes this footnote on every page:
SENSITIVE SECURITY INFORMATION
WARNING: THIS RECORD CONTAINS SENSITIVE SECURITY INFORMATION THAT IS CONTROLLED UNDER 49 CFR PARTS 15 AND 1520. NO PART OF THIS RECORD MAY BE DISCLOSED TO PERSONS WITHOUT A “NEED TO KNOW,” AS DEFINED IN 49 CFR PARTS 15 AND 1520, EXCEPT WITH THE WRITTEN PERMISSION OF THE ADMINISTRATOR OF THE TRANSPORTATION SECURITY ADMINISTRATION OR THE SECRETARY OF TRANSPORTATION. UNAUTHORIZED RELEASE MAY RESULT IN CIVIL PENALTIES OR OTHER ACTION. FOR U.S. GOVERNMENT AGENCIES, PUBLIC DISCLOSURE GOVERNED BY 5 U.S.C. 552 AND 49 CFR PARTS 15 AND 1520.
So the decision to publish it on the Internet is probably a questionable one. On top of that, however, is where the real idiocy shines. They chose to publish a redacted version of the document, hiding all the super-important stuff from the public. But they apparently don’t understand how redaction works in the electronic document world. See, rather than actually removing the offending text from the document they just drew a black box on top of it. Turns out that PDF documents don’t really care about the black box like that and the actual content of the document is still in the file.
Yup, their crack legal staff managed to screw this one up pretty badly. Want to know which twelve passports will instantly get you shunted over for secondary screening, simply by showing them to the ID-checking agent? Check out Section 2A-2 (C) (1) (b) (iv). Want to know the procedure for CIA-escorted passengers to be processed through the checkpoint? That’s in the document, too. Details on the calibration process of the metal detectors is in there. So is the procedure for screening foreign dignitaries.
It is pretty pathetic that the folks supposedly responsible for administering this “security” program cannot even be bothered to do the simplest parts of their job correctly. Then again, passing through the checkpoint every time I fly it is pretty clear that they do a lot of things incorrectly. Just chalk this one up to more of the same idiocy. More done badly.
Want to read it for yourself? Grab a copy here. Who knows how long they’ll keep it online.
Once you’ve downloaded the PDF you’ll see the black boxes. Simply highlight the text (start above and drag down to below the redaction area) so that you’re selecting all of the stuff in the “redacted” area. Copy the selection and paste it into the word processing client of your choice.
UPDATE: The original link to the document appears to be dead now but a mirror of the file can be found at www.cryptome.org with the un-redaction work already completed.
UPDATE 2 (1 JAN 2010): There has been another “redacted” document published on the internet. This one has details of checked baggage screening processes. Not good.
