TSA Approach to Threat Modeling, Part 3

It’s often said that the TSA’s approach to threat modeling is to just prevent yesterday’s threats. Well, on Friday it came out that:

So, here you see my flight information for my United flight from PHX to EWR. It is my understanding that this is similar to digital boarding passes issued by all U.S. Airlines; so the same information is on a Delta, US Airways, American and all other boarding passes. I am just using United as an example. I have X’d out any information that you could use to change my reservation. But it’s all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.

Security Flaws in the TSA Pre-Check System and the Boarding Pass Check System.

So, apparently, they’re not even preventing yesterday’s threats, ones they knew about before the recent silliness or the older silliness. (See my 2005 post, “What Did TSA Know, and When Did They Know It?.)”

What are they doing? Comments welcome.

Proof of Age in UK Pilot

There’s a really interesting article by Toby Stevens at Computer Weekly, “Proof of age comes of age:”

It’s therefore been fascinating to be part of a new initiative that seeks to address proof of age using a Privacy by Design approach to biometric technologies. Touch2id is an anonymous proof of age system that uses fingerprint biometrics and NFC to allow young people to prove that they are 18 years or over at licensed premises (e.g. bars, clubs).

The principle is simple: a young person brings their proof of age document (Home Office rules stipulate this must be a passport or driving licence) to a participating Post Office branch. The Post Office staff member checks document using a scanner, and confirms that the young person is the bearer. They then capture a fingerprint from the customer, which is converted into a hash and used to encrypt the customer’s date of birth on a small NFC sticker, which can be affixed to the back of a phone or wallet. No personal record of the customer’s details, document or fingerprint is retained either on the touch2id enrolment system or in the NFC sticker – the service is completely anonymous.

So first, I’m excited to see this. I think single-purpose credentials are important.

Second, I have a couple of technical questions.

  • Why a fingerprint versus a photo? People are good at recognizing photos, and a photo is a less intrusive mechanism than a fingerprint. Is the security gain sufficient to justify that? What’s the quantified improvement in accuracy?
  • Is NFC actually anonymous? It seems to me that NFC likely has a chip ID or something similar, meaning that the system is pseudonymous

I don’t mean to try to allow the best to be the enemy of the good. Not requiring ID for drinking is an excellent way to secure the ID system. See for example, my BlackHat 2003 talk. But I think that support can be both rah-rah and a careful critique of what we’re building.

Choice Point Screening

Stamford Police said Jevene Wright, 29, created a fictitious company called “Choice Point Screening” and submitted false invoices for background checks that were submitted to Noble Americas Corporation, an energy retailer firm located in Stamford. (Patrick Barnard, “The Stamford (CT) Patch“)

I don’t want to minimize the issue here. Assuming the allegations are correct, the company’s assurance in their trust of their employees is diminished, they may face compliance or contractual issues, and they’re out at least 1.4 million dollars, most of which has likely been spent. A good number of folks are having bad days, and I don’t want to add to that.

At the same time, I do have a number of comments.

First, Those background check services sure are expensive! I wonder how many people that was.

Hmmm, according to their website, “In the past six years Noble has grown from 1,500 employees to over 14,000.” I do wonder how many of the “background checks” came back with false allegations of past misconduct. If there were 14,000 people with no red flags, isn’t that something of a red flag in and of itself? I also wonder (in a law school hypothetical sort of way, and assuming with no evidence that Wright or an accomplice fabricated false reports on some people so that his fraud went undetected) what sorts of claims might be available to those denied employment based on those untrue statements?

Second, there’s something of a natural experiment here that lets us assess the value of background checking. Assuming Noble Americas Corporation runs a second set of background checks, I’m very curious to know how well spent that $2m* will have been: how many employees do they fire, having learned of something so heinous that the employee can’t be kept, and how many do they fire, having been handed a reason to get rid of a poor performer? (Naturally, those 2 numbers will be rolled into one.)

Lastly, there’s an interesting social engineering angle here. There’s a real company “ChoicePoint” now part of LexisNexis. (ChoicePoint was made famous for their awesome handling of a 2003 data breach, which this blog diligently covered.) So when naming a false background check company, Choice Point Screening seems like it might be a new brand for the company. An auditor, seeing all those background checks, is unlikely to focus in on the extra space. It’s a nice touch.

Follow your passion?

Growing up, we were told by guidance counselors, career advice books, the news media and others to “follow our passion.” This advice assumes that we all have a pre-existing passion waiting to be discovered. If we have the courage to discover this calling and to match it to our livelihood, the thinking goes, we’ll end up happy.

As I considered my options during my senior year of college, I knew all about this Cult of Passion and its demands. But I chose to ignore it. The alternative career philosophy that drove me is based on this simple premise: The traits that lead people to love their work are general and have little to do with a job’s specifics. These traits include a sense of autonomy and the feeling that you’re good at what you do and are having an impact on the world. Decades of research on workplace motivation back this up. (Daniel Pink’s book “Drive” offers a nice summary of this literature.)

(“Follow a career passion?” Cal Newport)

It may be confirmation bias, but I’m feeling a real sense of relief from these career articles in the New York Times. Growing up, I had a series of plans that I was forced to make. Many of these were foisted on me by well meaning folks who wanted to ensure that I avoided defaulting to petroleum transfer engineering. The experience of these guidance counselors was that if you don’t have a plan, you end up at wits end. There was a series of random events that took me off the path that I’d planned, and brought me where I am today.

As a silly example, if someone had told me that going to an intrusion detection conference in Belgium was going to lead to me writing a book 5 years later, I wouldn’t have even laughed. I would have just shaken my head.

The idea that job satisfaction comes from things other than painting by numbers is important. For a great deal of human history, most people worked on their farm or someone else’s, and received little in the way of cash payment. The idea of the organization man required organizations big enough to stick around for your entire life. Professionals worked for themselves, or really, whoever walked through the door on a given day.

More and more folks are working independently. Some of that is by choice. Avoiding the mind-numbing meetings, politics, and co-workers you don’t like can be rewarding. Focusing on projects, where you can see an outcome and a deliverable can be clarifying. On the other hand, a lot of people are getting forced there, and for a lot of people, it’s a rough place to be. I think much of that roughness relates to the unpredictability (where’s my next job coming from?) BUt i also think a lot of it comes from believing that a successful person is painting by numbers. That they’re following a preset plan. And if you’re “just” consulting or contracting, you are not doing that, and therefore, you’re not successful.

What emerges over the course of a life is hard to predict. Demanding that it be both awesome and according to plan is a much harder expectation to meet than just accepting the awesome which comes your way.

Rejecting the chaos of interesting and random opportunities that came along would have made for a different career for me. Would it have been interesting? Probably. Would it have been as rewarding? It’s hard to say. But I doubt it.

So next time you’re thinking about a career choice, try rejecting the paint by numbers approach, and embracing the emergent chaos that might come from looking for more of a chance to build and flex your skills, to have an impact on the world, or to find co-workers who you can learn from.

Two Models of Career Planning

There’s a fascinating interview with Mark Templeton of Citrix in the New York Times. It closes with the question of advice he gives to business students:

There are two strategies for your life and career. One is paint-by-numbers and the other is connect-the-dots. I think most people remember their aunt who brought them a gift for their birthday or whatever and it was a paint-by-number set or a connect-the-dots book.

So with the paint-by-number set, you know ahead of time what it’s going to look like. Then, by contrast, with a connect-the-dots puzzle, you can only guess at what it might look like by the time you finish. And what you notice about that process is the further along you get, the more clear it becomes. It might be a beach ball, or a seal in a Sea World park or something. The speed at which you connect dots gets faster as the picture starts coming into view.

You probably get the parallel. This isn’t about what’s right and what’s wrong. This is about getting it right for you. Parents often want you to paint by numbers. They want it so badly because they have a perception that it’s lower risk, and that’s the encouragement they’re going to give you. They’re going to push you down this road, and faculty members will, too, because they want you to deliver on what they taught you. It doesn’t make it wrong; it’s just that there’s a bias in the system. You have to decide for yourself. The earlier you actually get it right for yourself, the faster and the better that picture is going to look.

And the more time you spend on paint by numbers when you’re a connect-the-dots person, and vice versa, the harder it’s going to be. (Mark Templeton, quoted in “Paint by Numbers or Connect the Dots“)

When I got started in information security, there were a lot fewer jobs. They were less categorized. There might have been degrees in information security, but there certainly were not “Centers of Excellence” churning out graduates. (It turns out “degree” is one of those terms, like “hotel” or “mesothelioma” that’s so heavily SEO’d that it’s a pain to search that history.) Because there was no “paint by numbers” path, people entered the field from a wide variety of backgrounds. Everyone was connecting the dots as we went.

Anyway, I like the analogy, and think it explains why a lot of career advice fails to help its intended recipients.