Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

TSA's no-bid, data-leaking website was a complete screw-up: House Oversight Committee

Cory Doctorow at 12:58 pm Fri, Jan 11, 2008

— FEATURED —

Science

Making sense of the confusing Supreme Court DNA patent ruling

Book Review

The 'Geisters: spooky, scary novel

Science

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

Feature

The Snowden Principle

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle
The TSA's Traveler Redress Website was created by a no-bid crony contractor, leaked giant amount of personal information from hundreds of travellers (who had already been screwed over by the agency and were writing in for justice) and exposed them to identity theft. The House Oversight Committee concluded that the TSA totally, absolutely screwed up.

They sure do a bang up job at stopping you from bringing water through the checkpoint though.

That's gotta count for something.

* TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the "Statement of Work" for the contract was "written such that Desyne Web was the only vendor that could meet program requirements."

* The TSA official in charge of the project was a former employee of the contractor. The TSA official who was the "Technical Lead" on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne's owner.

* TSA did not detect the website's security weaknesses for months. The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured "the privacy of users and the security of the system" before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage.

Link (Thanks, Bill!)

Update: If you want to read the world's greatest "TSA have lied and cheated and lied and cheated" rant, check out our Teresa's post in the comment thread on the five year old whom the TSA thinks is a terr'ist.

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE:  Civlib • If you don't like something change it

More at Boing Boing

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

The Snowden Principle

  • Takuan

    happy solution

    http://apnews.myway.com/article/20080111/D8U3VK8O0.html

  • IWood

    Ah, yes. Those pesky “internet bloggers.”

  • Mindpowered

    “Incredible that they would take the site live using a self-signed certificate. It shows major incompetence (elementary oversight should have caught this) and at Desyne, Inc. Someone is either too stupid or too cheap to purchase a real SSL certificate before putting up a site that asks for personal data. This is Web Development 101. Anyone who has ever worked on an ecommerce site should [be] aware of the issues.”

    A real Gem from the pdf. on the bottom of the website.

  • Susan Oliver

    Which Congress committee is responsible for this kind of thing? I’d like to request a hearing on the matter.

  • Crash

    As the article says, this news was raised by the House Oversight Committee. The TSA more generally falls under the purview of the House Transportation and Infrastructure Committee‘s Subcommittee on Aviation.

  • snackcake

    So, who goes to jail for this?

    (I know the answer)

  • Antinous

    Not to defend the TSA, but I would like to address the no bid issue. If you solicit bids, you may be forced to accept the lowest one by the same rules that forced you to solicit bids in the first place. The problem is that the lowest bidder is rarely the best choice. It’s no excuse for governmental cronyism, incompetent design or the existence of the TSA in the first place, but there is a conundrum built into this situation.

  • Santa’s Knee

    @#6:

    The issue is that they are REQUIRED to have a bidding process. You can not defend “the no bid issue” as you call it when it comes to federal contracting of this nature.

  • Antinous

    @#7,

    I’m not defending them. They’re evil. I’m just pointing out that the whole US government is built to be inoperable.

  • Mikey Likes BoingBoing

    I looked at the Desyne website. It doesn’t say a word about their gig with TSA.

    Nor does it give names of any of the officers/principals of the company; that’s always a red flag IMO.

    There are some major names on their “What We’ve Done” page but I also noticed the odd disclaimer: “Please note some of the web sites below may have changed since our initial involvement.”

    You will note the company’s tagline is “It’s all about winning.” No argument there, given how they scored their lucrative little no-bid TSA gig.

  • Cory Doctorow

    The no-bid contract was awarded to a high-school chum of the TSA employee overseeing the work. The same guy was a former employee of said high-school chum. Also: they went out drinking together all the time.

  • jbang

    The TSA, and the associated War On Common Sense has descended beyond “troubling” and “sad”, passed “absurd” and is just wallowing in absolute ridiculousness.

    I’m shocked that government has not intervened… at what point will congress take note? The US is turning into a real theatre of the absurd, and will only look stupider and stupider to foreigners and their governments.

    One can’t help but think too many people either lack self-respect or just don’t want to think about losing face when they conceed that the ‘terrorists’, lets face it, have ‘won’ – if you want to continue to use those inappropriate terms propagated in the name of homeland security.

  • dogu4

    I would ask that anyone planning on voting in the upcoming elections here in the US, ask yourself what your favorite candidates position is on stuff like this? Being “against terrorism” isn’t an answer.
    I do know that I am very weary of the smoke and mirror game that TSA has created ostensibly to foil terrorist plots but most likely to cover its own ass and its massive stupidity. I guess there could be some internal logic in that nothing frightens a potential opponent more than knowing your enemy is soo freaking crazy it could literally screw the pooch, but we need something more in line with Israel’s intelligent and doubtlessly effective system of interrogation and intelligence instead of an army of earnest but ill-managed would-be burger flippers.
    FYI Ron Paul has said that he’d shut the thing down…Oh, and San Francisco’s airport which uses private security instead of TSA has a better than 90% success rate at finding test simulation attempts to introduce explosive, while TSA’s own get about 10%…Feel any safer now that the feds are “on the job” (which translates as “getting full benefits and impossible to fire”)?
    Me neither.

  • Joe

    Oh, and notice that it was the House committee. The Senate homeland security committee is chaired by Joe Lieberman, who cooperates with the Republicans on the committee to make sure that absolutely nothing is investigated, ever.

  • Teresa Nielsen Hayden / Moderator

    Dogu4, if the ground-level employees were properly trained and administering a rational, well-run system, they’d be worth every penny we paid them. The problems originate a lot higher up.

  • dragonfrog

    The self-signed cert makes me wince.

    Everyone here knows, the issue there is not the self-signed cert, but the overall incompetence it reveals. Far too many people don’t get that – they figure, alright, we’ll get a commercial cert, now it’s fixed.

    Nobody would be that nonchalant if they took their car in to be fixed and came back to find the steering wheel on upside down – they would demand that the garage foreman not only remount the steering wheel properly, but fire the clown who worked on their car, have someone qualified go over it from top to bottom to see what else he might have screwed up, and fix all those things for free too.

    So, what do you think it would take to make things like that – a self-signed SSL cert, or SQL injection by entering the username ‘OR1=1;– at the login page – popularly understood to be the equivalent of an upside-down steering wheel? Not something you fix and accept, but something you thank your lucky stars the site builder was incompetent enough to give himself away with something that obvious, and not just barely competent enough to get past your non-expert inspection, only to let you kill yourself when the brakes give out next week?

  • mellowknees

    Joe Leiberman is a republican in a whiny sheep’s clothing.