Stealing Osama's Identity
July 15, 2005 1:26 PM   Subscribe

Security, the TSA, and the No-Fly List You would think that our National Security apparatus would be like the TV series "24", with the most ingenious and sophisticated technology available. You would be wrong. Disclaimer: TSA is not an intelligent intelligence agency. Here's a blurb from the resume of the designer(Kenneth Mack) of the application the airline industry uses for *PDF* managing their employee data and the cross-checking them with the no-fly list:
- Sr. Developer: Developed a program [for Goddard Technologies] that uses the "No-Fly List" Excel spreadsheet, provided by the FAA and the database of badged employees to permute the name combinations. It takes into consideration multiple first and middle names, with Soundex and the various "initial" combinations. This program reduced the time for comparison from 3 days to 10 minutes.
The scary yet interesting part of all of this is that the No-Fly List is nothing more than a password-protected spreadsheet (see this PDF). One would guess our Government's geeks would know that it's a bad idea to send email attachments containing social security numbers and dates of birth, unencrypted, over the internets, even if they might be terrorists.
posted by rzklkng (30 comments total)
if it's password protected, it is encrypted. Just not very well.
posted by delmoi at 2:01 PM on July 15, 2005

That said, the "no fly" list is probably pretty small, so there's not really much of a reason not to use Excel, other then that it's quite goofy.
posted by delmoi at 2:02 PM on July 15, 2005

if it's password protected, it is encrypted. Just not very well.

Weak encryption is just as bad as no encryption.
posted by cmonkey at 2:05 PM on July 15, 2005

And using weak encryption with a pre-shared key (the password) is even worse.
posted by cmonkey at 2:06 PM on July 15, 2005

This works great, until we get to the 65,537th terrorist.
posted by wah at 2:12 PM on July 15, 2005

Weak encryption is just as bad as no encryption.

In fact it's probably worse. Weak encryption can provide a false sense of security--for instance, people may become lax in following additional security procedures (ie, by sending the file via email) because of this false sense.
posted by MikeKD at 2:18 PM on July 15, 2005

I don’t get the whole concept of a “no-fly” list:

If you know somebody is sooooo dangerous he can never ever be allowed on a plane, no matter what sort of strip-search, anal probe, cat-scan or interrogation you put him through, that his mere presence on an aircraft causes it to crash into the nearest skyscraper, wouldn’t you put him in jail? Assign his own personal FBI-goon to shadow him 24/7?

“No flying for you, buddy! We’re on to you! Feel free to walk around, taking pictures and leaving briefcases in subways, though”.
posted by signal at 2:26 PM on July 15, 2005

Amusingly or not depending on how you look at it, apparently recently someone with my real name was added to the no-fly list. I can no longer check in curbside, and the level of scrutiny I get when I fetch my boarding pass has ranged from not even raised eyebrows to requiring a call to some unknown number where the personal information from my DL is reeled off. I've not yet been denied boarding, nor have I been subject to additional security measures that I'm aware of.

One person recommended that to avoid this in the future I may want to try and get my next ticket using my full (including middle) name. If that works, I'm going to laugh my ass off.
posted by wolftrouble at 2:41 PM on July 15, 2005

The situation is easy to understand.
Bureaucrat Man sees 2 policy alternatives:

1) No-fly better-safe-than-sorry lists
2) Let 'em Fly

Should alternative 2) see another team of islamomistacists take out some more of NY's skyline then Bureaucrat Man will catch a lot of shit from Upon High and not have good career prospects going forward.

Policy 1) greatly inconveniences many people, and shoves the power of the Bureaucrat Man into everyone's faces, but these are features, not bugs, as far as Bureaucrat Man is concerned.
posted by Heywood Mogroot at 3:27 PM on July 15, 2005

Ahh yes, I was in the same predicament. No curb side check-in, no online check-in, and the agent at the desk would disappear with my license to make The Call. After about six months it stopped and now I check in where ever I want along with the rest of the non-terrorists.
posted by aenea at 3:32 PM on July 15, 2005

Um ... does Excel still have that 65,535 row limit?
posted by kaemaril at 3:44 PM on July 15, 2005

One person recommended that to avoid this in the future I may want to try and get my next ticket using my full (including middle) name. If that works, I'm going to laugh my ass off.

I am on the "Selectee" list, having earned that honor after a number of one-way trips between San Francisco, Vegas, Vancouver, and Washington, DC, many with short notice, some of which didn't involve return air travel, one of which was paid in cash (Vegas -- I won), and several of which I had to change after purchase. A minor federal marijuana beef in 1995 may also have come into play here.

I've tried booking tickets with and without my middle name, and using a shortened form of my first name (i.e. Rich for Richard, Tom for Thomas).

While I've never had a problem checking in with a ticket that had a short form of the name on my ID (contrary to popular belief), nothing I could do has prevented me from receiving the big S on my bording pass.

Now, YMMV, considering that you're not actually on the list, but for this person who is, playing the name game doesn't help.

With that said... the "Selectee" security line/room is generally shorter and faster in most US airports, so it's something of a mixed blessing. I wait for the guy to paw through my briefcase, while you wait in line.
posted by toxic at 3:45 PM on July 15, 2005

The TSA: making sure you won't have to sit next to David Nelson on your next flight.
posted by clevershark at 4:31 PM on July 15, 2005

Perhaps it's Friday afternoon and I'm tired, why is this information secret? How is this different than "wanted" posters in a post office?
posted by ParisParamus at 4:45 PM on July 15, 2005

I'm sure it wouldn't be a problem to get into that file and add ParisParamus.
posted by eyeballkid at 4:55 PM on July 15, 2005

I guess it's worth it to share how I came across this nugget...someone at the CIA had browsted my home page, googling for "no fly list spreadsheet xls". I got a screencap here. First and foremost, would it be reasonable to assume that they were looking for it "in the wild" because it may be out there? BTW, guess who helps maintain the No-Fly List? Coicepoint.
posted by rzklkng at 5:17 PM on July 15, 2005

posted by rzklkng at 5:18 PM on July 15, 2005

Perhaps it's Friday afternoon and I'm tired, why is this information secret?

By exposing who is on the list, it might be able to 'reverse engineer' how the list was compiled. Exposing algorythm used for suspcious activity, clandestine information channels or agents.

To paraphrase Sun Tzu:
All warfare is based on deception.
posted by MiltonRandKalman at 5:56 PM on July 15, 2005

I wonder if there's a Excel Wizard for this ("It looks like you're trying to find a suspected terrorist on a commercial airliner passenger manifest. Would you like some help?").

Not to condone a watchlist, but I guess that an Excel spreadsheet is better than "non-invasive neuro-electric sensors" (jpg) (entire document).
posted by soda pop at 6:19 PM on July 15, 2005

More likely, considering that they're using Excel to do this, the 'secrecy' is probably from their fear that we'll discover how completely clueless they are.
posted by Malor at 8:43 PM on July 15, 2005

Wanna bet someone at DHS is just now googling MetaFilter? Can a sock puppet be on a no-fly-list?
posted by realcountrymusic at 9:02 PM on July 15, 2005

I work for an airline and have access to the no-fly list (in PDF format.)

First of all, it is HUGE. Like, 500 pages long. It looks like a spreadsheet but I didn't realize it was Excel. Not quite 65,536 names (heh!) but certainly in the ballpark of 10,000, I'd guess.

There are a lot of problems with it obviously. All it takes is one 'suspect' to use the alias 'Joe Smith' on a flight, and anyone named anything close to 'Joe Smith' will forever be flagged. I've seen it happen with numerous common last names.

Finally, to toxic and others I've heard make similar comments, you won't find your way onto any maintained list because of your travel habits. However, each time you travel, you may be flagged for reasons other than being on a list (as you've found, buying one-way tickets and/or buying with cash are among those reasons, in addition to buying at the last minute.)
posted by gazole at 9:07 PM on July 15, 2005

What if this is a fake list? Disinformation? OK. Now I'm going to look at the list for the first time.

By the way, SodaPop: funniest thing I've read on Mefi in quite some time!
posted by ParisParamus at 9:45 PM on July 15, 2005

You know, this post is a let-down. I thought there was actually a link to the list.

Wah: very funny comment.
posted by ParisParamus at 9:51 PM on July 15, 2005

1. Excel spreadsheet passwords are not only considered weak encryption, they're not considered safe for government use - I wonder how in the hell this format was chosen?
2. What were they using prior to Excel? VisiCalc? I mean, damn.
3. Government officials can already count on this file being in the hands of someone that shouldn't have it.
posted by FormlessOne at 10:12 PM on July 15, 2005

It doesn't surprise me that it's all so low-tech. Most organisations, even those handling sensitive information (e.g. financial institutions), have shockingly poor systems for handling data in at least one dept. Crude spreadsheets containing outdated copies of data and clunky macros are everywhere.

Similarly, I don't think people realise how many e-commerce sites still email order details through to someone who then prints them out and hands the printouts to someone else who enters the data into the phone order system...
posted by malevolent at 2:16 AM on July 16, 2005

It's probably safe to say that this list (2.2MB *.TXT file) from the US Treasury found on cryptome has a good bit of overlap with the "NFL". And for everyone poo-pooing that it's a small list, it's somewhere between 12k and 20k from what I've seen reported.
posted by rzklkng at 7:54 AM on July 16, 2005

If I had ever submitted a security solution like this for a client, I'd have fired myself.

There are many easily found utilities that would go through an Acrobat password like buttah.

There are also many and constantly new virii, trojans, etc. that e-mail the contents of hard drives and mail archives to all sorts of places, including peer-to-peer services.

I'm sure the list is in circulation. That's the Occam's answer for the pings from the CIA.

But are we entirely sure it's actually CIA who is phishing for PDAs?

Is it possible that someone has infected the CIA with a trojan or perhaps owns their "" box for fun and games?

Either never name a document of that sensitivity level in such an intutitve manner...should call such files "0507_XPsgr.xls" at the very least. That's still easy enough to parse out for those who have to reference them every day...yet just odd enough to slightly confuse those that trip up on them accidentally.

Of course names like "0507_Doc3992_Sec604.xls" are better yet.

Not smart to name confidential documents things like "US Counter-Espionage Covert Agent List - Africa.xls" or "US Double-Agent List - Al Qaeda.xls."
posted by Dunvegan at 6:26 PM on July 16, 2005

let's face it, flying sucks now.
posted by brandz at 7:31 PM on July 16, 2005

Either never name a document of that sensitivity level in such an intutitve manner

Security through obscurity? That's a fairly discredited approach to security. Your enemies should never be able to even list the files on a computer that contain a sensitive document. If they can, it doesn't matter whether your files are called USDALAQ.xls or Top Double Super Secret Spy Plans.doc—you're fucked either way.
posted by grouse at 1:36 PM on July 17, 2005

« Older The Bipedal Exo-Skeletal Robotic Vehicle   |   Collaborative real-time music (internet jamming) Newer »

This thread has been archived and is closed to new comments