Clearly unprotected
August 5, 2008 11:43 AM   Subscribe

<NELSON>

HA-HA!

</NELSON>
posted by mr_crash_davis at 11:48 AM on August 5 [17 favorites]

It could have been worse, someone might have tried to take it through customs and had it confiscated. Then we wouldn't even be allowed to know if it was missing or not.
posted by blue_beetle at 11:48 AM on August 5 [24 favorites]

Hilarious, sad, and typical.
posted by anthill at 11:49 AM on August 5

Thank god they left this to a private contractor, rather than relying on incompetent career bureaucrats!
posted by mr_roboto at 11:49 AM on August 5 [24 favorites]

Kip Hawley is a genius.
posted by orthogonality at 11:51 AM on August 5

This is almost perfectly idiotic - a thing of beauty!
posted by The Light Fantastic at 11:52 AM on August 5 [2 favorites]

Ha! No more cutting in line for youse!
posted by Mister_A at 11:54 AM on August 5 [3 favorites]

I believe these were 33,000 applicants to the program, not the total pool of people with Clear Passenger credentials.
posted by Peter Petridish at 11:54 AM on August 5

At times, I question the choice of having the fuckups run the country.

I suspect they might not be doing a quality job.

On a serious note, 33k applicants. Are any of these accepted? If they are, the program needs to stop immediately. If I understand it right, it allows a quick passthrough of the security process. Having access to their "identities" seems to open up a big ass security hole.
posted by Lord_Pall at 11:56 AM on August 5 [1 favorite]

The Clear system allows travelers who register and pay an annual fee to bypass airport security lines by using a smart card in some airports.

Wait, what? WHAT?

The oligarchy is here. And I'm sure glad there are no known billionaire terrorists.
posted by DU at 11:58 AM on August 5

Ha! Air Travel.

*gets on bike, pedals around without a care in the world*
posted by Science! at 11:58 AM on August 5 [2 favorites]

Interested in reading more about our trailblazing Privacy Policy?

OH YES PLEASE
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 11:58 AM on August 5 [6 favorites]

Or, as a gentleman from the slashdot thread says:

"All of those people should go on the no fly list"
posted by Lord_Pall at 12:00 PM on August 5 [9 favorites]

Peter, I think you are correct. The original news story, which has just been replaced with new copy in the last 5 minutes (I wish I had a copy of the original text), now says applicants. It also says that the laptop has been recovered. Oh, and that it had password protection. None of which was in the original release.

I hate when news organizations completely replace copy with new copy at the same url, rather than updating the story. It makes me reach for my tinfoil hat and mutter about conspiracies and the possibility of "truth".
posted by dejah420 at 12:00 PM on August 5

Quis custodiet ipsos custodes?

Seriously, for a laptop with such sensitive information to disappear is bad. But for it then to unexpectedly reappear in the same room is very, very bad.
posted by Skeptic at 12:01 PM on August 5 [2 favorites]

Privacy measures notwithstanding, what was this information doing on a laptop in the first place? Having personal information stay on a laptop for longer than the amount of time it takes to enter it into the system seems like a pretty massive design flaw.
posted by roll truck roll at 12:01 PM on August 5

The old story:

SAN FRANCISCO (CBS 5 / KCBS) ― The Transportation Security Administration says a laptop containing the sensitive personal information of 33,000 applicants to an airport security prescreening program has gone missing.

T.S.A. spokesperson Ann Davis told CBS an unencrypted computer storing the personal information on the cards went missing from SFO on July 26th, but the agency was not notified until Sunday.

The TSA has suspended new enrollments in the program, known as Clear, which allows passengers to pay to use special "fast lanes" at airport security checkpoints.

The laptop belonged to a privately run company known as Verified Identity Pass Inc., which operates the program at 17 airports nationwide.

An agency spokesman says the company must notify all affected applicants and show it has installed encryption on all its computers before it can restart enrollments.

Current Clear customers will still be able to use their cards while the breach is sorted out.
posted by roll truck roll at 12:04 PM on August 5

Looks like the old story says applicants too. WHERE IS THE TRUTH?
posted by spicynuts at 12:10 PM on August 5

So, certainly they're going to now realize what a god awful idea this is, that every privacy advocate was absolutely right, no one will ever want to sign up for this again and the government will quickly cancel this horrible, horrible idea. Right?

You know, just like electronic voting machines that run Windows CE? And a second term for dubya?
posted by Skwirl at 12:12 PM on August 5 [1 favorite]

So Clear's passenger screening has gone open source, I see.
posted by crapmatic at 12:13 PM on August 5 [4 favorites]

Even I know how to encrypt information and I'm a goddamn idiot!!
posted by milarepa at 12:14 PM on August 5 [2 favorites]

If it's possible to roar with laughter while banging one's head on the desk, then that is what I am doing.
posted by rtha at 12:14 PM on August 5 [17 favorites]

Anyone walking around with a laptop full of valuable data should have it handcuffed to her/his wrist.
posted by Carol Anne at 12:16 PM on August 5 [3 favorites]

dejah420Poster writes "It also says that the laptop has been recovered. Oh, and that it had password protection."

Password protection is no protection if the attacker has physical access to the machine. Likewise, recovery of the laptop is no guarantee that the hard drive wasn't duplicated.
posted by mullingitover at 12:20 PM on August 5 [3 favorites]

I've complained about this before, but to my eyes the mere fact that we need something like Clear demonstrates that we have a serious problem with air travel in this country. That security is so theatrically and poorly implemented that we need the equivalent of an identity speed pass suggests that we need to look at revamping the entire system.

And more on subject; if I'm planning on doing something bad on an aircraft, doesn't it make the most sense for me to simply gain access to someone who has this Clear authentication, and use their identification?
posted by quin at 12:21 PM on August 5 [2 favorites]

I hate when news organizations completely replace copy with new copy at the same url, rather than updating the story. It makes me reach for my tinfoil hat and mutter about conspiracies and the possibility of "truth".

This notion should be expanded upon (perhaps get its own post). Why should any "reputable" news service seek to bury its first-draft errors, incongruities, etc? Correct them by all means but don't "disappear" them. The world is confusing enough without breaking stories mysteriously rewriting themselves from one moment to the next.
posted by philip-random at 12:21 PM on August 5

so that's 33000 applicants who now cannot get this service, right? because it's pretty obvious that whoever stole this info now has the ability to pretend to be them, right?

right?
posted by shmegegge at 12:21 PM on August 5

That security is so theatrically and poorly implemented that we need the equivalent of an identity speed pass suggests that we need to look at revamping the entire system.

It's almost like this was made so bad that we almost had to have a private enterprise paid good money to speed people through it. It's a bonus that the company has a nice subpoena-able database with all this juicy stuff in it.
posted by maxwelton at 12:28 PM on August 5 [2 favorites]

I don't understand why anyone would ever sign up for Clear. You still have to take your shoes off, take your laptop out of your bag, and walk through the metal detector... that is the main annoyance at security.

If you are the frequent traveler that this program is aimed at, then you probably have elite status on your airline and get to skip the security line with just your boarding pass. So I'm not sure why you would pay $128 for the privilege of giving away your SSN, two forms of ID, and having a fingerprint and iris scan every time you show up at the airport.

And if you don't have elite status, $128 gets you 4000 miles closer if you pick the right flight.
posted by jrockway at 12:28 PM on August 5

I love that it was stolen at an airport.

But really, what the fuck? I work for an entity much smaller than the TSA, I do security assessments of our partners and outsourcers, and, well, "Do you encrypt data at rest?" is the second question asked. And they'll say "yes", and then it's my job to not believe them.

Obviously, TSA should have hired me.
posted by These Premises Are Alarmed at 12:29 PM on August 5 [1 favorite]

The world is confusing enough without breaking stories mysteriously rewriting themselves from one moment to the next.

I blame Cory Doctorow.
posted by elfgirl at 12:31 PM on August 5 [6 favorites]

Password protection is no protection if the attacker has physical access to the machine.

Thinkpads at least have hard drive passwords that can't be circumvented, and that are usually used with the power-on password. That's secure enough for me (and my Fortune 500employer).
posted by smackfu at 12:31 PM on August 5

Pathethic. Just pathetic.
posted by tyllwin at 12:31 PM on August 5

If it's possible to roar with laughter while banging one's head on the desk, then that is what I am doing.

Yeah, this one cuts things up nicely in a couple of ways. 1. Exposes the flaw in having two tiers of security clearance (sorry, wealthy and powerful, you will have to stand in line with the proles). 2. Exposes the sloppy logic inherent in solving a problem by tossing huge amounts of cash at it, which has been the case with Security in general (Airport in particular) ever since 911; money does not attract solutions, it attracts flies, and fools, and certain technology "players" who will assure you they can do whatever it is you need them to, as long as the checks keep clearing.
posted by philip-random at 12:37 PM on August 5

Next up: the schadenfreude crisis -- our nation's reserves of this once plentiful resource are at historic lows.
posted by boo_radley at 12:42 PM on August 5 [8 favorites]

Sung to the tune of I Can See Clearly Now by Johnny Nash

♫ I can't fly clear now, my data's gone
I gave everything to the TSA
Gone is my SSN and my birthday
It's gonna be a long (long), long (long)
Airport wait
posted by optovox at 12:43 PM on August 5 [6 favorites]

So I just looked at the enrollment process on Clear's website, and I can't believe how little it takes to convince the gubmint that you're not a terrorist. A couple gov't IDs, a credit history (Experian and their ilk, presumably), fingerprints and a credit card. 15 minutes online, another 10 minutes in person and presto! You're one of the good guys! (Apparently anybody with a good credit history could never be a bad guy.)

This is utter bullshit and it strains my credulity that a service like this is approved by the TSA. Follow the money, I know, but I feel like the USA has fallen down the rabbit hole and emerged in bizarro world. As far as keeping confidential data on a laptop and then losing it, well that's just par for the course in bizarro world.
posted by Quietgal at 12:43 PM on August 5

Proxy comment for people that want to make a crack about "professional white background" but can't really think of a good line.
posted by neustile at 12:45 PM on August 5 [1 favorite]

This notion should be expanded upon (perhaps get its own post). Why should any "reputable" news service seek to bury its first-draft errors, incongruities, etc? Correct them by all means but don't "disappear" them.

It's potentially a hangover from print -- papers do this every day, updating, correcting and spiking from edition to edition.
posted by bonaldi at 12:45 PM on August 5

You're one of the good guys!

Doesn't this program just mean they don't scrutinize your ID in line? You still need to do all the other screening bits, so it's not like it matters.
posted by smackfu at 12:48 PM on August 5 [1 favorite]

I guess this is evidence of what everybody already knew.

That laptops have taught themselves how to teleport.
posted by Astro Zombie at 12:50 PM on August 5 [1 favorite]

Anyone walking around with a laptop full of valuable data should have it handcuffed to her/his wrist.

I remember watching a show on PBS years ago about the credit card industry. I think Robert X. Cringely was involved.

Anyway, there was a segment of the show about biometrics, and how Visa (I think) was promoting the use of retina and fingerprint scanning for credit card charge authentication.

Cringley was talking to a security representative of Visa about this wonderful new technology, and morbidly asked what stopped a criminal from chopping off the victim's fingers or worse to get the card to work. The credit card company rep winced slightly and tittered nervously before the show moved on to some other topic.

Not sure what this is apropos of, but I imagine a suitcase like that which contained the Clear system data would probably be worth a meat cleaving to someone interested enough in its contents...
posted by Blazecock Pileon at 12:58 PM on August 5

Looks like it's been found.

Officials with Verified Identity Pass, which operates the Clear program, said the laptop was found Tuesday morning in the same office where it supposedly had gone missing.
posted by preparat at 12:59 PM on August 5

sorry, wealthy and powerful, you will have to stand in line with the proles

Ha! The wealthy and powerful just fly GA. No security whatsoever.
posted by mr_roboto at 1:01 PM on August 5

A couple of years ago I came up with a perfect way to avoid having to interact with US airport security: I no longer visit the US.
posted by Hogshead at 1:07 PM on August 5 [5 favorites]

We are committed to the transparency of our your privacy practices....

Fixed that for them.
posted by The Light Fantastic at 1:12 PM on August 5

"A couple of years ago I came up with a perfect way to avoid having to interact with US airport security: I no longer visit the US."

Let me guess: You don't own a TV either.
posted by mr_crash_davis at 1:13 PM on August 5 [4 favorites]

(sorry, wealthy and powerful, you will have to stand in line with the proles

Um, this costs like a hundred bucks. Don't exactly need to be "wealthy".

Besides, for most business travelers I know, the cost was never the issue. It was giving away all that info in the first place. And it seems our worries were not misplaced.
posted by wildcrdj at 1:20 PM on August 5

A couple of years ago I came up with a perfect way to avoid having to interact with US airport security: I no longer visit the US.

This has been my solution for dealing with UK airport security.
posted by birdherder at 1:21 PM on August 5

TSA has suspended new registrations until Verified Identity Pass, Inc., a subsidiary of GE, figures out how to install PGP.

Installation is simple enough. Key management is the issue. Permanently losing all your encrypted data because some absent-minded user forgets the password to their key is almost as disastrous as compromising all your data, unencrypted.

(obviously, though, in this case the laptop wouldn't have been the single source of truth for the customer data, but the point remains - you can't always just install this stuff out of the box & expect to have it work seamlessly)
posted by UbuRoivas at 1:45 PM on August 5

Smackfu, you're right. I'd still bet, though, that Clear customers are subjected to less scrutiny than regular shmoes - they're not paying a premium to get pulled aside for random intensive searches.

On another note, has anybody ever misplaced a laptop for real? (Honest question - I'm having a hard time picturing an office so chaotic that somebody could lose track of a laptop in the mess, only to have it resurface a few days later.) I lose paper all the time but I've never lost a computer, so I really can't see how this is anything but fraud. Or is this the kind of unfortunate thing that actually happens from time to time?
posted by Quietgal at 1:50 PM on August 5

Paying extra so you can cut in line-- it's the American Way!

oh, the irony.
posted by dunkadunc at 2:09 PM on August 5

Am I the only one who finds it mind-boggling that the private & highly sensitive data of all these people was stored on a laptop to start with, no matter whether it was encrypted or handcuffed to the employee!?
posted by ClarissaWAM at 2:09 PM on August 5 [1 favorite]

Was it this guy who had the laptop?
posted by nickyskye at 2:13 PM on August 5

Am I the only one who finds it mind-boggling that the private & highly sensitive data of all these people was stored on a laptop to start with, no matter whether it was encrypted or handcuffed to the employee!?

Nope. Me too.
posted by rtha at 2:15 PM on August 5

Well, Administaff (a company that does payroll and benefits for other companies) kept at least part of their payroll data on a laptop. Which was stolen last year, which really sucked for my coworkers who were in that database. Seems to be pretty common, albeit stupid, to keep sensitive data on the least secure hardware you can think of.
posted by Quietgal at 2:38 PM on August 5

Paying extra so you can cut in line-- it's the American Way! Oh the irony.

Why are people so incredulous about this?


If I can afford to avoid the hassle of flying coach, why shouldn't I spend another $100 for this and make my trips even more enjoyable?

Nothing ironic about that..
posted by Zambrano at 2:51 PM on August 5

Permanently losing all your encrypted data because some absent-minded user forgets the password to their key is almost as disastrous as compromising all your data, unencrypted.

It's disastrous for different people, though. As a consumer, I'm much more concerned about companies preventing third parties from accessing my confidential data than I am about them losing their own access to that data.

has anybody ever misplaced a laptop for real?

Sure, if it's not issued to an individual. That kind of stuff happens all the time.
posted by me & my monkey at 2:51 PM on August 5

If I can afford to avoid the hassle of flying coach, why shouldn't I spend another $100 for this and make my trips even more enjoyable?

The 9/11 terrorists would agree with you, having purchased first class tickets for everyone. It's a good team-building philosophy.
posted by Blazecock Pileon at 3:13 PM on August 5

As Bruce Schneier has pointed out, the real value of the Clear program is to allow people to pay extra to jump to the front of the queue while still being subject to the same security checks as everyone else. The value is not to let allegedly 'good' people skip the security checks, and in fact they don't.

The problem with the program is that because people are subjected to the background checks, it's an almost risk-free way for potential terrorists to see if the FBI is on to them yet. Ready to execute your plan? Sign up for Clear. If you're let in, then go for it. If you're rejected, then you'll have to find someone else to actually carry out the plan.

Ideally, the clear program would have no background check involved at all and would simply be a for-pay line jumping system akin to being in First Class or having Elite status with an airline. All you would present would be a card and your normal ID, just to prevent sharing of the Clear account. A certain percentage of the money spent on the program would go to fund more airport security lanes for the proles. Thus, it essentially becomes a tax on impatient wealthy people from which patient not-so-wealthy people benefit. Everybody wins.

Thus, Clear needs to ditch all of this private data they're hoarding and basically just act as a glorified toll collector.
posted by jedicus at 3:13 PM on August 5 [1 favorite]

Interesting thing is that just last week, the TSA said the background check was useless and they aren't going to do it anymore (if they ever did).
posted by smackfu at 3:18 PM on August 5

The problem with the program is that because people are subjected to the background checks, it's an almost risk-free way for potential terrorists to see if the FBI is on to them yet. Ready to execute your plan? Sign up for Clear. If you're let in, then go for it. If you're rejected, then you'll have to find someone else to actually carry out the plan.

Unless the FBI is running a diabolical X-K-Red 47 double bluff plan, of course, in which case you'll just need to hack the database with the username and password of "Administrator" and "password", respectively, to get yourself cleared.
posted by Blazecock Pileon at 3:32 PM on August 5

You still have to take your shoes off, take your laptop out of your bag, and walk through the metal detector... that is the main annoyance at security.

But a TSA person gets bins for you too! I love Clear card.

Doesn't this program just mean they don't scrutinize your ID in line? You still need to do all the other screening bits, so it's not like it matters.

I've only had a couple opportunities to use mine, but each time I have used it a TSA person still checked my ID. Actually, everything was the same except I got to cut in line and they handed me some bins.

Using the first/business/elite line gets you pretty much the same thing. But I don't fly enough on the same airlines to make elite status and only get upgraded occasionally. If my company didn't pay for the Clear card, I wouldn't have popped for it myself. It probably isn't worth the privacy risk, but uh...I'm not exactly careful about that to begin with.
posted by mullacc at 3:38 PM on August 5

nickyskye writes "Was it this guy who had the laptop?"

That's Jorn Barger, the guy who coined the term "weblog". No, seriously, it is.
posted by orthogonality at 3:45 PM on August 5

This is utter bullshit and it strains my credulity that a service like this is approved by the TSA.

Yes, because the usual security theater is so effective in preventing terrorism.
posted by Mental Wimp at 3:47 PM on August 5

Mental Wimp, it's not like I think the normal "security" process does much good either. I made the comment you quoted before having read the links that explain how Clear actually works; the FPP says customers "bypass airport security lines" and I mistakenly interpreted that to mean they bypass security altogether and waltz right to the gate. Which is where the "good credit = good guy" idea came from. Things have been so bizarro in the last few years, it seemed plausible that the US government would approve a system like that. In fact, there's probably a business opportunity right there.
posted by Quietgal at 4:14 PM on August 5

The Clear system
Who knew there was a benefit to Scientology after all?
posted by davejay at 4:31 PM on August 5 [1 favorite]

This just goes to show how much security billions of taxpayer dollars and the sacrificing of civil liberties will buy you. I believe Penn & Teller saw this coming.
posted by Pseudology at 4:50 PM on August 5

Paying extra so you can cut in line-- it's the American Way! Oh the irony.

You ever been to Germany or several other European nations I won't name? You don't even have to pay to cut in line - all you need is the ability to completely ignore your fellow man/woman and muscle your way up front. At least in the U.S. there is a real line to pay to skip in front of.
posted by spicynuts at 4:52 PM on August 5

This is reminiscent of the hard drives which contained information used to defuse or disable nuclear weapons which went "missing" from a locked vault at at Los Alamos National Laboratory in 2000. A month later they were eventually "found" behind a copying machine.
posted by ericb at 4:58 PM on August 5

...or several other European nations I won't name?

Perchance, Italy?
posted by ericb at 5:06 PM on August 5

Mental Wimp, it's not like I think the normal "security" process does much good either.

Sorry, I wasn't trying to slam you; I just wanted to vent my repeated frustration at having to put up with the security theater every time I fly, knowing it does absolutely no good.
posted by Mental Wimp at 5:28 PM on August 5

My wife and I both have Clear pass as we fly cross country often. Me, I like to arrive most places hours in advance as I hate being late. She, on the other hand, prefers to travel in a much more umm casual manor, clear pass allows her to do this, and makes her and thus me happy. Some of the best money we ever spent. As for the frequent flyer miles yeah it kinda works but it seems like the line at clear pass is shorter most of the time. We liked it so much we bought clear pass gift certificates last year for some of our clients and vendors around holiday time. According to the response we received from them I would say that clear pass was much better than chocolate and fruit and equal to but not as quite as cool as the heifer international cows and goats which we also hooked them up with.
posted by HappyHippo at 6:32 PM on August 5

Just to be fair, the Clear program isn't exactly a case of just giving the TSA your personal info on a website and paying your money to cut in line. Once you submit all the info and pay your dues, a background check is performed before you are actually given the Clear card.

So even though you have to go through the same procedures as everyone else does (mostly) at the airport, the security procedures are indeed heightened because you are now a known entity in the system with a vetted background. And of course nothing's perfect! The trade-off is that you get to use the short line once your biometrics match up to those of the card.

I pay taxes, so I'm pretty sure the Govt. already knows my SSN. Point is - if I'm a frequent traveler who values a speedier trip through the security line, $128 and a background check is a fair deal.
posted by matty at 6:39 PM on August 5

Make sure you document your claims:
C. Identity Theft Warranty.

Clear has put in place what we believe to be strong, effective measures to protect the security of the limited information we collect from members. Because we have implemented these measures and because the public is rightfully concerned about identity theft, we make the following promise to all members: In the highly unlikely event that a member is the victim of identity theft (defined as the taking of a member's personal information so that fraudulent transactions are made in the member's name) that is the result of any unauthorized dissemination by Clear or its subcontractors, or theft from Clear or its subcontractors, of the member's personal data collected by Clear, we will reimburse the member for any otherwise unreimbursable monetary costs directly resulting from such Identity Theft. In addition, Clear will, at its own expense, offer any such member assistance in restoring the integrity of the member's financial or other accounts.
posted by SpaceBass at 6:53 PM on August 5

Anil Dash: "It was fanastic [sic]. In literally less than 3 minutes, I'd gone from frantic about making my flight to all the way to the metal detector, and they were even discreet enough the way [sic] it was implemented that I didn't feel like some line-jumping jerk. Even if, you know, that's essentially what you pay Clear for."
posted by ed at 7:01 PM on August 5

It's potentially a hangover from print -- papers do this every day, updating, correcting and spiking from edition to edition.

Except it isn't. This way, the mistake 'never happened'. Newspapers print corrections/retractions/errata, which allow you to compare with the previous version.
posted by dirtynumbangelboy at 7:58 PM on August 5 [1 favorite]

smackfu wrote:
Thinkpads at least have hard drive passwords that can't be circumvented, and that are usually used with the power-on password. That's secure enough for me (and my Fortune 500employer).

Thinkpads also require the removal of a single screw to extract the hard drive, after which your hard drive password is ineffective. ;)
posted by wierdo at 8:39 PM on August 5

If I get on Clear can I take my Jumbo Bonnie Bell 4 oz. lip gloss in my carry-on? Those 3 oz. ones run out so fast.
posted by Lukenlogs at 8:42 PM on August 5

For short-haul trips, the lack of "security" procedures on the bus makes up for the slightly increased risk of being beheaded and eaten.
posted by oaf at 8:50 PM on August 5 [2 favorites]

New Greyhound slogan: "Where will you be headed today?"

Old slogan: "There's a reason you've never heard of bus rage." Seriously.
posted by five fresh fish at 9:16 PM on August 5 [2 favorites]

Just to be fair, the Clear program isn't exactly a case of just giving the TSA your personal info on a website and paying your money to cut in line. Once you submit all the info and pay your dues, a background check is performed before you are actually given the Clear card.

I still don't see the point. Why is having a clean background a prerequisite to this sort of cutting in line? You still undergo the same screening as everyone else, clean background or not.

Like I said earlier, this sounds like a big hassle for a very marginal benefit. And, I feel my tax dollars are being wasted. I propose a replacement: the check-in kiosk asks you "do you want to cut in line" and if you say yes, charges you $10.
posted by jrockway at 9:58 PM on August 5 [1 favorite]

in which case you'll just need to hack the database with the username and password of "Administrator" and "password"

BP, please don't publish this kind of sensitive material again without using the approved obscurity practices.
posted by flabdablet at 9:58 PM on August 5 [3 favorites]

New Greyhound slogan: "Where will you be headed today?"

I hear a breach of copyright action has been lodged by al Qaeda.
posted by UbuRoivas at 10:18 PM on August 5

Just to be fair, the Clear program isn't exactly a case of just giving the TSA your personal info on a website and paying your money to cut in line.

No, it's giving a private company under the control of the TSA your personal info on a website and paying money to cut in line.
posted by dirigibleman at 10:44 PM on August 5 [2 favorites]

[Clear customers are] not paying a premium to get pulled aside for random intensive searches.

Or, you know, maybe they are. As everyone and their dog has pointed out, any terrorist smart enough to tie their shoelaces would get a Clear pass. And if they were denied, they'd try to find someone in their org who wasn't. So, I'd think that Clear holders would be marginally more probable to be terrorists than non-Clear passengers. (That is, if there were enough terrorists on US airlines for us to be able to speak statistically about them.)

It's potentially a hangover from print

Or maybe just the way newswires work. Back when I had newswire access via clari.*, it was common for me to see a wire story be updated half a dozen times over its lifespan, as new facts came in and so on. Presumably the idea was that each print newspaper would use the most current version of the story when they went to press. The fact that these updates are now visible to the end reader is one of the advantages and disadvantages of electronic publishing, I guess.
posted by hattifattener at 11:14 PM on August 5

So, private company loses laptop with sensitive information of 30k people. Outrage ensues, costing said company reputation and profit, and possible threatening its survival as an entity. So the company says, "Oh, hey ... uh, we found the laptop. It was there all along. Here it is. We are so embarrassed."

And people believe that this is the same laptop that was supposedly lost, and that there was, in fact, no lost laptop.

Right.
posted by moonbiter at 1:15 AM on August 6 [2 favorites]

This has been my solution for dealing with UK airport security.

You *say* that, but we all know that the real reason is that Americans just can't afford to come here any more.
posted by PeterMcDermott at 2:10 AM on August 6 [2 favorites]

smackfu: Thinkpads at least have hard drive passwords that can't be circumvented

The manufacturer would like you to believe this. It is almost certainly not true.
posted by zippy at 3:25 AM on August 6

Good. Now those rich assholes can enjoy their own version of DHS incompetence and arrogance.
posted by fourcheesemac at 5:24 AM on August 6 [1 favorite]

It is almost certainly not true.

Cite?
posted by smackfu at 5:27 AM on August 6

Our proprietary process removes the password protection from a locked notebook (Travelstar™) Hard Disk Drive without the loss of user data or replacement of the drive. If your problem is just a locked HDD, Nortek requires only the drive for servicing ... Unlock $85 US
posted by zippy at 5:48 AM on August 6 [1 favorite]

Heh. I wonder why anyone would even pay for the first two options. Since they don't preserve the data, it would be cheaper to buy a new hard drive. The $300 option is interesting. I wonder how they do it? Maybe move the platters into a new drive?
posted by smackfu at 5:53 AM on August 6

First post! (once my MetaClear application goes through)
posted by Who_Am_I at 5:55 AM on August 6 [1 favorite]

SmackFu, the claims I've read while searching on this are that the drive recovery places access the Travelstar using a modified disk controller that completely bypasses the controller-based password protection. They can then: read the password, reset it, read all of the data on the disk, etc.

That's the claim. For all I know, there may be an even simpler solution.
posted by zippy at 6:00 AM on August 6

Yeah, I figured something like that. For people who use whole drive encryption, do you change your password regularly? It seems like you wouldn't since you'd have to re-encrypt the whole drive. Or is there some clever way around this?
posted by smackfu at 7:06 AM on August 6

For people who use whole drive encryption, do you change your password regularly? It seems like you wouldn't since you'd have to re-encrypt the whole drive.

Some encryption systems have a large encryption key (1024 bits or larger) that's unlocked by a usually-smaller user password. So, when you change your password, they only have to re-scramble the "rest of the drive" decryption key.
posted by brokengoose at 10:49 AM on August 6

Posting corrections is encouraged, but I think that (foot)noting them is a good idea.

We could factcheck them. I'm curious if a DIY distributed Internet Archive or github would be better for archiving, diffing, & annotating revisions.
posted by Pronoiac at 2:06 PM on August 6

Having your private data kept private is another fee. Capitalism rocks!
posted by theora55 at 2:13 PM on August 6

Thinkpads at least have hard drive passwords that can't be circumvented

No security exists that cannot be circumvented, via algorithmic flaws, implementation flaws (which lead to side-channel attacks), or systemic flaws; in the end, you are dealing with a system designed by humans, and eventually every human system fails.
posted by Mikey-San at 7:28 PM on August 6

If anyone's interested, Clear members got this email from the Clear CEO today:

Dear XXX,

We take the protection of your privacy extremely seriously at Clear. That's why we announced on Tuesday that a laptop from our office at the San Francisco Airport containing a small part of some applicants' pre-enrollment information (but not Social Security numbers or credit card information) recently went missing. None of your information was in any way implicated. However, we were prepared to send those applicants and members who were affected the appropriate notice on Tuesday detailing that situation.

Before we could send out that notice, the laptop was recovered. And, we have determined from a preliminary investigation that no one logged into the computer from the time it went missing in the office until the time it was found. Therefore, no unauthorized person has obtained any personal information.

Again, none of your personal information was on the computer in any form, but we nonetheless wanted to give you details of the incident that could have affected others applying for Clear memberships because the incident involves Clear's privacy and security practices and policies.

We are sorry that this theft of a computer containing a limited amount of applicant information occurred, and we apologize for the concern that the publicity surrounding our public announcement might have caused. But in an abundance of caution, both we and the Transportation Security Administration treated this unaccounted-for laptop as a serious potential breach. We have learned from this incident, and we have suspended enrollment processes temporarily until all pre-enrollment information is encrypted for further protection. The personal information on the enrollment system was protected by two separate passwords, but Clear is in the process of completing a software fix - and other security enhancements - to encrypt the data, which is what we should have done all along, just the way we encrypt all of the other data submitted by applicants. Clear now expects that the fix will be in place within days. Meantime, all airport Clear lane operations continue as normal.

As you may know, our Privacy Policy states that we will notify you of any compromise of your personal information regardless of whether any state statute requires it. This letter is a good example of our policy: no law requires that we notify you of this incident because our investigation of the recovered laptop revealed no breach and because in any event none of your own information was affected. But we think it's good practice to err on the side of good communication with all Clear members, especially when, in this case, we did make a mistake by not making sure that limited portion of information was encrypted.

Please call us toll-free with any questions at (866) 848-2415. Again, we apologize for the confusion.

Sincerely,
Steven Brill
Clear CEO

P.S. A reminder: One of Clears unique privacy features is that all members and applicants are given an identity theft protection warranty which provides that, in the unlikely event you become a victim of identity theft as a result of any unauthorized dissemination of your private information by - or theft from - Clear or its subcontractors, we will reimburse you for any otherwise unreimbursable monetary costs directly resulting from the identity theft. In addition, Clear will, at its own expense, offer you assistance in restoring the integrity of your financial or other accounts. So had there been any actual compromise of your personal information, you would have been additionally protected.

posted by mullacc at 12:58 PM on August 7

Sheriff: Clear program laptop at SFO was stolen
posted by optovox at 3:15 PM on August 11

At JFK Airport, Denying Basic Rights Is Just Another Day at the Office
posted by homunculus at 3:18 PM on August 18

You are not currently logged in. Log in or create a new account to post comments.