Bruce Schneier's comments strike me as hilarious, especially in the wake of the recent hysteria in Boston. The mere *existance* of the Homeland Security Department makes Americans feel less secure! We are, I believe, no more or less secure than we were on 9/10; however, the perception that we now need a Homeland Security Department, the idea that a box with flashing LEDs could be a bomb, these things increase feelings of insecurity, rather than decrease them.

Looks like the site is using SSL now, although Firefox gives me popup warnings saying "Website certified by an unknown authority" and then "Security error: domain name mismatch." That's comforting.

And what's with this Transportation Security Administration site using desyne.com instead of tsa.gov? Weird.

T_Joe -- You're seeing an "https://" in front of the url:

http://rms.desyne.com/pivf.htm

?

I'm not seeing that, and I've loaded it in Firefox and IE.

I get the same message as t_Joe in Firefox and IE. Inspect the certificate - it is self-signed by desyne . If you don't get the warning, it might be wise to check your internet options to see why - you would be vulnerable to any hacker who wants to self-sign a banking site certificate.

Brian: yes, I get the SSL form if I start at http://rms.desyne.com and follow the links from there.

The TSA link brought me to:
https://rms.desyne.com/pivf.htm .

However I get a red security warning (using IE7) advising me to check the certificate.

Unbelievable, its almost like the TSA people can do math and realize that may not be cost effective to even attempt to do anything to protect us from serious Terrorists, and are only using the smoke and mirrors to fend off the want-to-be crowd. Its pretty much impossible at the moment to keep a Serious terrorist from blowing up a plane. One shoulder fired missile and that is all she wrote.

More wonderful effects of outsourcing.

Based on the certificate, the TSA subcontracted the creation of the site to a Web design firm in VA called Desyne Web Services, Inc.

Incredible that they would take the site live using a self-signed certificate. It shows major incompetence at both the TSA (elementary oversight should have caught this) and at Desyne, Inc.

Someone is either too stupid or too cheap to purchase a real SSL certificate before putting up a site that asks for personal data.

This is Web Development 101. Anyone who has ever worked on an ecommerce site should aware of the issues...

Re: not using tsa.gov:

Maybe they don't want us to see all the little hearts on their logo/banner today.

Just stupid.

I will never forget giving a briefing on how lax security was and how ANYONE could get dangerous substances or weapons past checks and onto a plane. Sure, there are a few extra steps in place, but nothing that would actually stop someone who was determined, much less a coordinated attempt by multiple individuals to board at once. Heck, there are still stories of people winding up at the wrong airports, or getting on without tickets! Our nation's top security pros- the FBI- have lost 1000 firearms and nearly as many laptops! I expect nothing great from TSA. Any sense of security you have is a false one.

I just saw on yahoo news that they want to let 7000 Iraqi refugees into the US. While I think that is sweet and all, it just makes it that much easier for terrorists to slip in. Should they not focus on building their country instead of weakening the security of ours?

Why should this be a surprise?

Here is some less techobvious flaws in hail to the Keystone Cops of security.

Afgan opium trade is up over %50 since homeland security, drug trafficing has never been better and more illegal immgrants than ever before are entering the country ever since Homeland security has been enacted.

Alternate energy is the key to security yet the powers that really run this country are doing everything to sabatage it.

And now... the TSA Traveler Identity Verification site is at dhs.gov and there's no more certificate error.

Doin' a heckuva a job there, brownie. I feel more secure already.

I am not finding registration on the dhs.gov site. I am finding information *about* the program at http://www.tsa.gov/travelers/redress/index.shtm
The links on that page to fill out said form all go to http://rms.desyne.com/ and generate a "server not found" error.
So, perhaps somone reacted and pulled down the site, perhaps there have been too many hits on the site? Whichever is the case, the site is now just useless and not dangerous. It does get old when our government agencies that are supposed to be security focused (include FBI, etc.) seem to make such elementary mistakes in computer security!

I'm seeing the form and all pages accessed from the site at a url that begins with https://trip.dhs.gov/, and I get no certificate error.

I agree the site was launched with ineptitude, but I give them credit for reacting quickly and making it right. I suspect they had it set up right, but were pointing us to the wrong site.

The url to check is https://trip.dhs.gov . In my previous post a comma was included as part of the URL, so it wasn't clickable.

Even if the SSL problem is fixed now, one point still standing is why did it take a citizen to point out a web security flaw on a site run by people responsible for our security?

As the co-author who revealed the no fly list as a national embarrassment. This PR stunt is the latest bit of internet eye candy is a joke,. The reality is TSA has no say on who is on or off the no fly list. They are no a nominatin g agency. All they can do is go back to CIA, FBI etc. and ask someone be removed. Since those agenicis treat TSA like the last kid picked on the sandlot team chances are small much good will happen. If you have specific incidents of sucess or failure with TSA we would welcome posts on www.unsafeatanyaltitude.com. We need to focus on the 600,000 airporty workers who get no0 screening and the awful failure rate of current screeners on test weapons. Kip Hawley's enagged in misdirection because TSA cannot take on the real problems because of lack of political will.

I went through the links just now and the personal data is requested at this site

https://trip.dhs.gov/pivf.htm

Maybe TSA fixed it?!?

Regardless of whether it is fixed now, why was the security flaw allowed to happen to begin with? And how many people's private information was possibly compromised in the interim?

The Transportation Security Administration takes the security of personal information very seriously. The personal information TSA collects is protected by the highest set of security protocol standards established by the federal government.

TSA regularly assesses and updates our cyber security protocols and programs to ensure the protection of both public and private data sources. Passengers seeking redress should feel confident that their personal data is protected and used only for its intended purpose.

The Transportation Security Administration takes the security of personal information very seriously. The personal information TSA collects is protected by the highest set of security protocol standards established by the federal government.

TSA regularly assesses and updates our cyber security protocols and programs to ensure the protection of both public and private data sources. Passengers seeking redress should feel confident that their personal data is protected and used only for its intended purpose.

When I left for the RSA Security Conference last month I accidentally checked in at the wrong airline (they were next to one another). I put in my credit card and a message appeared saying "Persons_Name_Close_To_Mine" has already checked in. I wonder what would have happened if I got there first. Our names are close in nature so I'm not sure it would have been flagged by someone (of course you would have had a disgruntled person checking in later but ...)

Nice for the TSA to respond here with a nice canned response. If the TSA takes security so "seriously" then again, I reiterate my question, how did the problem occur with the "security protocol standards" in place? Are the standards being revised so another website under the charge of the TSA doesn't prematurely get released for public use? Has something changed to prevent this from happening again? The fact that the TSA allowed the publishing of a web site that gathers critical personal information and allowed that information not to be encrypted over the wire seems to indicate that, at least in this case, those "security protocols" were either not followed or the protocols need revising.

I have traveled to other places in SOUTH AMERICA and CENTRAL AMERICA and their security "TSA like" agencies have more security practices in place and even more effective than our own TSA here in the United States. I'm talking about countries than don't have the same technology or the budget we in the US have. bottom line it's all common sence when it becomes to security practices.

WHEN IS EVERYBODY, DC INCLUDED, GOING TO REALIZE ANYTHING DHS TOUCHES TURNS TO #$%%^$@$. CBP, TSA ETC,ETC, ETC.LETS MAKE SURE WE KEEP TAKING THOSE SEALED WATER BOTTLES AND LETTING ICE SKATES GO!!!!!!

WHY DOESN'T THIS COUNTRY GET SERIOUS ABOUT SECURITY AND MODEL SECURITY OF LARGE GATHERING PLACES---STADIUMS, MALLS, ARENAS ETC. AFTER LAS VEGAS CASINOS. YES LAS VEGAS CASINOS. THEY CAN SPOT A CHEATER A MILE AWAY BUT THERE ARE NO CAMERAS AT OUR NATIONS AIRPORTS, RAIL SYSTEMS ETC.
PRIORITIES-WHATS THAT MEAN?

PLEASE go out and get lives. How much of your lives did you just spend overanalyzing all of this? You could've spent that time climbing out of mommy and daddy's basements and getting out into the real world... it's not like any of you dorks have to actually fly anywhere anytime soon.

Okay, i'm off to go do important things, like enjoying life. Peace. Out.

PLEASE go out and get lives. How much of your lives did you just spend overanalyzing all of this? You could've spent that time climbing out of mommy and daddy's basements and getting out into the real world... it's not like any of you dorks have to actually fly anywhere anytime soon.

Okay, i'm off to go do important things, like enjoying life. Peace. Out.

I just went on the TSA website. They have you fill out a pdf form that you either snail mail or fax along with the appropriate documents to properly vet an individual. There is no website.

Some updates on the issues have been occurring here( http://blog.wired.com/27bstroke6/2007/02/homeland_securi.html):

Looks like there were/are more problems than just the lack of SSL-issue.

For the love of god, could we please stop applying the term "terrorist" to everyone doing anything even slightly illegal ?