Friday, August 8, 2008

Clear Program >= "Pathetic"

I must say, I'm completely blown away by what has happened with the Clear Program.  For those of you who do not know what/who Clear is....

Clear® is the fast pass for airport security. Clear members are pre-screened and provided with a high-tech card which allows them to access designated airport security fast lanes nationwide. Clear members pass through airport security faster, with more predictability and less hassle.

Basically, they pre-screen you through TSA and give you a card to carry around so you don't have to wait in line with all of the other yahoos.  So let's take a look at the recent email that just came out. First line of the email ...

We take the protection of your privacy extremely seriously at Clear. 

This isn't giving me a warm feeling.  Next?

Before we could send out that notice, the laptop was recovered. And, we have determined from a preliminary investigation that no one logged into the computer from the time it went missing in the office until the time it was found. Therefore, no unauthorized person has obtained any personal information.

Okay....this isn't getting any better.  Next?

We are sorry that this theft of a computer containing a limited amount of applicant information occurred, and we apologize for the concern that the publicity surrounding our public announcement might have caused. But in an abundance of caution, both we and the Transportation Security Administration treated this unaccounted-for laptop as a serious potential breach. We have learned from this incident, and we have suspended enrollment processes temporarily until all pre-enrollment information is encrypted for further protection. The personal information on the enrollment system was protected by two separate passwords, but Clear is in the process of completing a software fix - and other security enhancements - to encrypt the data, which is what we should have done all along, just the way we encrypt all of the other data submitted by applicants. Clear now expects that the fix will be in place within days. Meantime, all airport Clear lane operations continue as normal.

So .... as a security person, my first question would be -- HOW DID THIS COMPANY GET APPROVED TO OPERATE WITH TSA SENSITIVE DATA WITHOUT THE USE OF ENCRYPTION?  Yet another quote from the privacy policy....

TSA also conducts periodic audits to assure that we comply with their extremely high standards of data security.

Okay...I won't be hiring these idiots to perform my next vulnerability assessment...

We use encryption (a strong data coding process) for all program sensitive data communications. We apply firewalls to guard against outside intruders.

Wow!  Now this is really surprising to me -- yet another group of yahoos who think that a firewall is going to guard your applications from compromise.  Brilliant.

I'm sorry folks, but there are few moments in life when you really do find yourself speechless -- and well.....i guess this is one of them.  I must say - if this is the way these folks plan to do business, you might want to:  (a)  Not enroll or (b) enroll and quickly find yourself a good lawyer.

Ug.