A Wednesday letter from the Presidential Advisory Commission on Election Integrity gives secretaries of state about two weeks to provide about a dozen points of voter data. That also would include dates of birth, the last four digits of voters’ Social Security numbers… (NYTimes story) Of this writing, 44 states have refused.
I want to consider only the information security aspects of the letter, which also states that “Please be aware that any documents that are submitted to the full Commission will also be made available to the public.”
Publishing a list of SSNs is prohibited by 42 USC 405(c)(2)(C)(Viii), but that only applies to “SSNs or related record[s].” Related record means “any record, list, or compilation that indicates, directly or indirectly, the identity of any individual with respect to whom a social security account number or a request for a social security account number is maintained pursuant to this clause.” So its unclear to me if that law prohibits publishing the last 4 digits of the SSN in this way.
So, if a list of names, addresses, datas of birth and last four digits of the SSN of every voter are made available, what does that to to they myth that those selfsame four digits can be used as an authenticator?
I’d like to thank the administration for generating so much winning in authentication, and wish the very best of luck to everyone who now needs to scramble to find an alternate authentication technique.
Image credit: Jeff Hunsaker, “Verified by Visa: Everything We Tell Folks to Avoid.”
It’s often said that the TSA’s approach to threat modeling is to just prevent yesterday’s threats. Well, on Friday it came out that:
So, here you see my flight information for my United flight from PHX to EWR. It is my understanding that this is similar to digital boarding passes issued by all U.S. Airlines; so the same information is on a Delta, US Airways, American and all other boarding passes. I am just using United as an example. I have X’d out any information that you could use to change my reservation. But it’s all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.
“Security Flaws in the TSA Pre-Check System and the Boarding Pass Check System.“
So, apparently, they’re not even preventing yesterday’s threats, ones they knew about before the recent silliness or the older silliness. (See my 2005 post, “What Did TSA Know, and When Did They Know It?.)”
What are they doing? Comments welcome.
Former TSA Administrator Kip Hawley was on NPR a few minutes ago, opining on the 2nd panty bomber. He said two remarkable things. First, that the operators of nudatrons, who see thousands of naked people per day, would notice the bomb. Second, he didn’t understand why Al Qaeda would continue to focus on underwear bombs.
Once again, Kip’s wrong.
First, Kip is wrong, and ought to know he’s wrong about those operators. Those operators are likely to get bored and be unable to focus on the images after a while. That’s why the TSA inserts fake images of weapons in its XRays. Detecting these anomalies is hard. (Perhaps TSA inserts fake images in the nudatron images, but I didn’t see any mention of such functionality in the system requirements that EPIC forced TSA to release.
Second, he doesn’t understand why Al Qaeda would focus on underwear bombs. Really? You don’t get that for a failed attempt, millions of people will be photographed naked, groped and humiliated? They focus on the things that make the bureaucracy that Hawley built convulse. That bomb didn’t even make it onto the plane, and we’re all expecting the next shoe to drop.
Eric Fischer is doing work on comparing locals and tourists and where they photograph based on big Flickr data. It’s fascinating to try to identify cities from the thumbnails in his “Locals and Tourists” set. (I admit, I got very few right, either from “one at a time” or by looking for cities I know.)
This reminds me a lot of Steve Coast’s work on Open Street Map, which I blogged about in “Map of London.” It’s fascinating to watch the implicit maps and the differences emerge from the location data in photos.
Via Data Mining blog and
In “TSA shuts door on private airport screening program,” CNN reports that “TSA chief John Pistole said Friday he has decided not to expand the program beyond the current 16 airports, saying he does not see any advantage to it.”
The advantage, of course, is that it generates pressure on his agency to do better. I hope that he’ll be forced to answer to John Mica, who encouraged airports to do this, and is the chairman of the committee on transportation and infrastructure.
I believe Hosni Mubarak made similar comments about not needing regime change.
Over at We Won’t Fly, George Donnelly writes:
I was about to delete an offensive comment on this blog – one of the very few we get – and thought, hmm, I wonder where this guy is posting from? Because, really, it is quite unusual for us to get nasty comments. Lo and behold, the troll posted to our website from an IP address controlled by the federal government’s Department of Homeland Security! Here is the taxpayer-funded troll’s gem of a comment, for your entertainment:
In response to Chris’s “Ron Paul supporter inadvertently gets iPhones banned from U.S. aircraft” we got a comment from 126.96.36.199. It was from Ran, and he wrote:
“What color eyes and hair did the terrorist who shot up the Holocaust museum a few days ago have? How about the guy who murdered that abortion doctor?
Are you suggesting that your blonde haired blue eyed friend should be given a pass when alarming airport metal detectors because he has an X-Ray image that he claims is of his ankle? You have got to be kidding, right?”
Which, really, isn’t a dumb comment. It’s an element of a reasonable threat assessment. Which just plays into my confirmation bias that our commenters are regularly smarter and more insightful (or at least more aware of privacy enhancing technologies and practices) than other blogs commenters.
Thank you all for a lovely year of insightful comments here at the combo.
Get this 2-page Passenger’s Rights Sheet: http://saizai.com/tsa_rights.pdf
Intrusiveness and outrage:
- “Homeland Security Is Also Monitoring Your Tweets”
- “‘Baywatch’ Beauty Feels Overexposed After TSA Scan” (David Moye, AOLnews) “the agent responded, ‘Because you caught my eye, and they’ — pointing to the other passengers — ‘didn’t.'”
- “POLICE STATE – TSA, Homeland Security & Tampa Police Set Up Nazi Checkpoints At Bus Stations ” (Video from ABC Tampa) “looking for terrorism, immigration violations and bulk cash smuggling.” Unfortunately for TSA, this undercuts their argument that you have a choice of ways to travel, and fails to meet any sort of 4th amendment standard.
- “Delvonte Tisdale’s death is a tragedy that raises questions about security, DA says” (Andrew Ryan, Boston Globe) It appears that a teenager snuck past security and into the wheel well of a 737, then died when it opened near Boston.
- TSA Newly banned items (UCBComedy video)
- TSA pat-down of Indian ambassador Meera Shankar causes uproar (Elizabeth Crisp, Mississippi Clarion Ledger)
- “Colo. lawyer sues over TSA airport screening” AP story by P. Solomon Banda about Gary Fielder’s lawsuit
- Woman with mastectomy suing TSA in Albequerque “to which the supervisor said ‘well you don’t have boobs'”
- “Harvard Law Students Sue TSA” Harvard Law Record story about Jeffrey Redfern and Anat Pradhan’s lawsuit. Well reported, mentions suits in Florida and Arkansas, not the EPIC lawsuit. So that’s at least 6 suits pending. Is there a single list somewhere?
- “The Medical Problems of Airport Screening: It’s Not Just the Radiation” (Jane Orient, MD, Association of American Physicians and Surgeons blog)
- “TSA workers, experts worry about radiation exposure” (Allison Young, USA Today) “Six of 281 machines used to screen checked luggage violated federal radiation standards, some emitting two or three times the allowed limit, the CDC found.”
- “Frequent travelers oppose new TSA security screenings” (USA Today story by Gary Stoller)
- “State of New Mexico v. Phillip Mocek” (Identity Project blog on Phillip Mocek case)
- “An evaluation of airport x-ray backscatter units based on image characteristics” (Leon Kaufman, Joseph Carlson, Journal of Transportation Security) Machines are easily fooled. Via Slashdot.
- “The Fear Profiteers” (Naomi Wolf)
Finally some humor from Lucas Cantor: