Slashdot Log In
Terror Watchlist "Crippled By Technical Flaws"
Posted by
kdawson
on Tue Aug 26, 2008 07:08 AM
from the little-bobby-datas-we-call-him dept.
from the little-bobby-datas-we-call-him dept.
I Don't Believe in Imaginary Property writes "The database used by the government to generate lists like the No-Fly List is 'crippled by technical flaws,' according to the chairman of a House technology oversight subcommittee. And the upgrade may be worse than the original. Rep. Brad Miller (D-NC) says that 'if actually deployed, [the upgrade] will leave our country more vulnerable than the existing yet flawed system in operation today.' It seems that the current database doesn't have any easy way to do plain-text matching, forcing users to enter SQL queries. That might not sound so bad until you learn that the database contains 463 poorly indexed tables. How long until there's a terrorist named Robert'); DROP DATABASE; —?"
Related Stories
Submission: Terror Watchlist 'Crippled by Technical Flaws' by Anonymous Coward
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
That's what happens when.... (Score:5, Insightful)
Re:That's what happens when.... (Score:5, Funny)
Parent
Re:That's what happens when.... (Score:5, Interesting)
Yeah! I fail to see the problem here. So, due to design flaws the terrorist watch list is difficult to do searches on. Maybe they can just get the California Cobol [slashdot.org] programmers to fix it.
I fail to see how the terrorist watch list is ANY different from the communist black list of the 60s. All it takes to get put on there is a neighbor that doesn't like you. In order to get taken off, an agent has to be assigned to your case and you have to be investigated so that they are sure you're not a terrorist. With the current size of the list, good luck with that.
CNN has had several articles in the last few weeks dealing with the terrorist watch list. My favorite was about three people named "James Robinson" [cnn.com]. The article mentions that one of the Jameses would just get tickets using the first name "Jim" and he wouldn't be hassled. Another would just run his first and middle name together and it wouldn't get flagged. Of note from that article, "The TSA has said the problem lies with the airlines and threatened to fine airlines that tell passengers they are on the watch list." Yeah. Wow. They're trying to make it illegal to tell someone why they're being held and discomforted. If you don't want the information to get out, don't share it. Keep it to yourself.
Article V says, "[you can't be] deprived of life, liberty, or property, without due process of law..." This list deprives liberty (and sometimes property) and is missing a key element.
Article XI says, "The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others by the people." Isn't that EXACTLY what's happening?
Parent
Re:That's what happens when.... (Score:4, Insightful)
Considering the modus operandi of this administration, I'd be very surprised if this weren't a widespread practice.
Parent
Re:That's what happens when.... (Score:5, Funny)
Parent
Re:That's what happens when.... (Score:5, Informative)
Oh, boy, are you in for a shock. They dunk you in Holy Water. If you drown, you're hired on the spot. Otherwise, you're a terrorist, and they shoot you.
Parent
Re:That's what happens when.... (Score:5, Funny)
Parent
Re:That's what happens when.... (Score:5, Interesting)
Err... yes. Just FEMA, the CIA, and nearly every other major department. Bush's loyalty test brought us the Katrina aftermath fiasco, and mass resignations at the CIA. He even tried to appoint his personal lawyer to the Supreme Court. As they say, "sh-t flows down-hill." When the man in charge is a complete moron, the entire government suffers.
Sorry, you were probably making a joke. A lot of us on this forum don't get sarcasm as easily as we should.
Parent
Re:That's what happens when.... (Score:5, Informative)
I was intrigued! You gave me the info I wanted to google with - Mass CIA resignations lead me to this [washingtonpost.com]
I had no idea how bad it was. Retrospectively, the bashing the CIA got seems stupid considering the impossibility of what they have to accomplish... not just now, but after pissing off most of the world in the last 8 years.
Parent
It'll all work itself out ... (Score:5, Funny)
The amount of people they want to include on their "t3rr0rz l1zt" it'll only be a matter of time before we have
Osama Bin CREATE INDEX;
and
Saddam OPTIMIZE TABLE;
Then everything will be hunk dory again.
Re:It'll all work itself out ... (Score:5, Funny)
Actually, I think the SQL 2012 standard only supports the short form, "SADDAMIZE TABLE".
Parent
Re:It'll all work itself out ... (Score:5, Funny)
Saddam OPTIMIZE TABLE
Actually, I think the SQL 2012 standard only supports the short form, "SADDAMIZE TABLE".
Not to be confused with the more penetrative command SOD... nevermind.
Parent
Number of tables (Score:5, Interesting)
That might not sound so bad until you learn that the database contains 463 poorly indexed tables.
This is not a good measure of how good or bad a database is. Its good to have a table for every type of data and every data type. Read about normalization. You can go overboard, but as long as your database is designed well, having 463 tables might be just fine.
I say this because once I heard consultant say something like "This web application shouldn't need more than 40 tables, when in fact they didn't know much about the details of the web app, which were quite sophisticated and the real application had more than 100 tables."
Number of tables, no Poorly indexed (Score:5, Insightful)
Parent
Re:Number of tables, no Poorly indexed (Score:5, Insightful)
Wow, so create the indexes then. What's up with you all, this is elementary stuff...a few hours creating the required indexes.
Fixing or even working on, an application and database developed without proper indexes (and foreign keys) is a real pain in the butt, and fraught with 'danger'.
You lot are carrying on as if it's Y2K
Hey, Y2k was 'just' changing a two digit year to a four digit year. By what seems like your standards there shouldn't any 'work' behind that either. Just because it's easy to say, doesn't mean that it's easy to do.
Parent
Why Would You Expect Otherwise? (Score:5, Insightful)
Re:Why Would You Expect Otherwise? (Score:5, Interesting)
One could wonder whether the project was set up to adress terrorism OR it was setup to generate media-attention ?
Parent
Both (Score:5, Interesting)
One could wonder whether the project was set up to adress terrorism OR it was setup to generate media-attention ?
It was both and then some.
I'm trying to find the link of the guy who started this BS. It was a private citizen who, IIRC, was the one who was involved with Choicepoint. He wrote some code and his algorithm pulled up most of the 9/11 hijackers and then some. He had some false positives even then, but it was the Government's wet dream and it solved some of their problems (such as that pesky little Constitutional problem of spying on Americans. It's OK if a private company does it -Choicepoint.) and it makes great security theater and it creates some big fat Governemtn contracts for some big fat cats with Government connections.
Need more caffeine and I'm getting tons of false hits from Google trying to find the cite - it is over 7 years old, ya know.
Parent
Re:Why Would You Expect Otherwise? (Score:5, Insightful)
C) Keep the terror level level artificially high.
http://www.dhs.gov/xinfoshare/programs/Copy_of_press_release_0046.shtm [dhs.gov]
The United States government's national threat level is Elevated, or Yellow.
The U.S. threat level is High, or Orange, for all domestic and international flights.
So for the rest of you its only Yellow, but if your flying, its Orange!
Parent
Terrorism measures and the TSA (Score:5, Insightful)
One could wonder whether the project was set up to adress terrorism OR it was setup to generate media-attention ?
I work at an airport, in administration, and trust me when I say this has very little to do with dark political conspiracies, and a lot to do with the government's haste to show they were "doing something" after 9/11. This project was quickly rushed into service, and has been widely reviled by airports and airport police departments across the country. And other similar measures... the current background check process for giving access to secured areas, and the very creation of TSA itself, were all measures to reassure the public that something was getting done. The problem is that government enterprises like these tend to become bipartisan boondoggles, with every state and major city wanting a piece of the political and funding action these things entail. Federal agencies tend to become monsters that need to justify their own existence by constant growth. TSA in particular is quickly becoming a large federal law enforcement agency, not just a baggage security team. When they were first set up, several of their nascent teams moved and basically tried to take control of several airports... I know of one major southern airport where they simply showed up one day, declared that a series of offices now belonged to them, and when the airport director came down to see what was going on, they tried to have him arrested by his own police force for "violating federal facilities". Anyone that works with AAAE members (airport execs group) knows what incident I'm talking about.
Did you know that TSA will now be issued police-like blue uniforms, with metal badges, just like cops? Airport police and the metropolitan police departments that supplement them just looooove that, and there's the inevitable talk of actually giving said TSA agents firearms. Unlike some other police departments, TSA agents are being encouraged to wear their uniforms and badges in their spare time, in order to enhance the agency's "visibility" to the public. There are already jokes that TSA SWAT teams are inevitable at airports. The problem is, the laughter doesn't last very long when we realize that the way things are going, that might not be a joke so much as a prediction of the future.
Parent
Re:Why Would You Expect Otherwise? (Score:5, Interesting)
I like the idea of having a fly at your own risk airline where you can just "risk it" and not have all these so called "protections". I bet it would put the airlines with the TSA out of business in a week.
Parent
Re:Why Would You Expect Otherwise? (Score:5, Interesting)
That could work.
Risk it airlines, where there are no security checks to get on board and the only security measures are to detect when a plane has been hijacked and once confirmed a killswitch is activated to simply blow it out of the sky. Might have to pay the pilots more but I'd travel on one of those.
Parent
Re:Why Would You Expect Otherwise? (Score:5, Insightful)
The Mythbusters disproved the "hole in the plane causes explosive decompression" myth.
From http://mythbustersresults.com/episode10 [mythbustersresults.com] :
So you could theoretically have armed people on the plane shooting at terrorists and not causing huge problems if they miss. (Well, except for passengers that get in the way.)
I think the best solution is to lock the pilot's door before boarding. Then the pilots are instructed to not open the door under any circumstances. If terrorists threaten to kill passengers, the pilots are to land the plane and won't be held accountable for any deaths that result. After all, giving into the demands to open the door and turn over control of the plane could mean the death of all on board as well as people on the ground. The pilot's door should also be bullet-proof (in case a weapon is smuggled on board).
El Al does this (in addition to other security measures) and they haven't had a single hijacking even though they're a huge target.
Parent
Re:Why Would You Expect Otherwise? (Score:5, Funny)
This airline is sounding better and better. Kill switches to blow it up in midair, marines to put passengers in their place. I can see someone running with this idea and making a fortune, and to think we were part of the thread that first hatched the idea.
My addition to this would be that to ensure the safety of people on the ground the planes in this hypothetical airline shouldn't be allowed to actually take off, but should instead hug the ground throughout the flight, perhaps on some sort of stabilizing rail, or a magnetic hover track. We might even build a system for running these planes across North America.
Parent
Re:Why Would You Expect Otherwise? (Score:5, Insightful)
It was outsourced. Near the bottom of TFA it says that some of the money was used to renovate a building owned by Boeing.
Its amazing just how many "government screwups" are actually caused by politicians outsourcing to their buddies in private industry (with little to no penalties for failing to deliver what was promised), and have nothing to do with the abilities of actual government employees.
There's actually quite a few smart IT folks in government, but they're not the ones who make decisions on who to outsource this stuff to. In fact, most of them would probably rather build a team and do it In-House, since that way you build up the knowledge internally and can more easily support it later.
So please don't blame government employees for something that Boeing screwed up.
Parent
Re:Why Would You Expect Otherwise? (Score:5, Funny)
Really. So, all private industry is automatically good, or would you care to qualify that statement? The free market has failure modes, you know. Perhaps you've heard of natural monopoly, imbalance of information, and externalities?
Hear that noise? It's the sound of thousands of libertarians plugging their ears and yelling "LA LA LA" as loud as they can.
Parent
the first person (Score:5, Funny)
Re:the first person (Score:4, Funny)
Are you sure thats possible, I thought Microsoft Access Databases were invulnerable?
Parent
It's _not_ crippled by technical flaws. (Score:5, Insightful)
It's crippled by being a moronic concept in the first place ("You've got the wrong name and _maybe_ the wrong date of birth, and you're not flying.") and an absolutely arbitrary process of putting names on the list, and no way of ever getting a name off the list.
Fix those points first, and _then_ worry about technical details.
Re:It's _not_ crippled by technical flaws. (Score:5, Interesting)
Oh, come on! We all know to be terrified of letting 5-year-olds onto the plane [king5.com] (video). If they share a name, they're bound to share ideologies. And what better place to hide explosives than in a shitty diaper?
And that kid was only wanted by the INS! I can just imagine the hillarity ensuing when they clear an airport because another kid "made a stink bomb" in his diaper - we all know how much the TSA loves words like those.
Parent
Re:It's _not_ crippled by technical flaws. (Score:5, Funny)
Parent
Re:It's _not_ crippled by technical flaws. (Score:5, Insightful)
Parent
Re:It's _not_ crippled by technical flaws. (Score:4, Informative)
Technically, the Terrorist Watch List Database contains about 400,000 unique persons, of which the remainder represents known aliases. This is the so-called "green light" list, with no restrictions on them whatsoever. The "yellow light" list is much smaller, about 10,000 unique persons, and only subjects these people to desk check-ins and special searches. The *actual* No Fly list (the "red light" list) is itself a small fraction of that, perhaps 1,000 people at the most.
Add that to the fact that Congress is starting to mandate some sanity checks and ways to be removed from the list, I could see this someday being useful... just not today.
Parent
Re:It's _not_ crippled by technical flaws. (Score:5, Funny)
Apparently Nelson Mandela was on the list, until the fact was embarrasingly publicized and he was finally removed.
So, easy solution - if you don't want to be bothered by the no fly list then change your name to Nelson Mandela...
Parent
Re:It's _not_ crippled by technical flaws. (Score:5, Funny)
But hey, it's not that bad! After all, since all terrorists use their real names when flying, it is sure to catch them all.
Ever wonder why no suicide bomber has been able to strike twice? It's because of the no-fly-list, I tell you!
Parent
Re:It's _not_ crippled by technical flaws. (Score:5, Interesting)
After all, since all terrorists use their real names when flying, it is sure to catch them all.
The irony of your post is that most of the perpetrators of recent terrorist attacks in the West had valid ID and were, in many cases, citizens of the country they attacked. Even with all the intrusive surveillance, vast databases and draconian security measures, they still got through, just by keeping a low profile until they were ready to attack. Which tells you exactly how much measures like the list we're talking about are actually worth in practice...
Parent
Size Comparison (Score:5, Informative)
Are these names on the list... (Score:5, Funny)
http://video.aol.com/video-detail/snl-funny-terrorist-names/4040669571 [aol.com]
"M'balz es-Hari"
"Haid D'Salaami"
"Mustaf Herod Apyur Poupr"
"Usuqa M'diq"
"Hous bin Phartin"
"I'zheet m'drawrz"
The lists. (Score:4, Interesting)
A friend of mine is the security manager for a fairly large company. They have offices all over the world and business in many countries. He tells me that there are at least three "terrorist" lists. The EU list, the UN list and the US list. They are listed from poor to really shitty.
If a person or a company is on either of these lists then they aren't allowed to do business with them as they are suspected terrorists r terrorist backers.
The US list can contain things like "Muhammad, Saudi Arabia", or "Iqbal, Pakistan".
The lists are of no use to them and impossible to follow, but they are required to do so or risk sanctions from EU or the US.
Happy times!
Re:is this "obvious news day" again? (Score:5, Funny)
Because theres' nothing a non-USian can learn in such a "story", except that US-ians are teh morons.
Hold on, that's not true! In this story, we learn that the terrorist watch list is not only a bad idea, but it is poorly implemented!
Parent
Re:is this "obvious news day" again? (Score:5, Interesting)
Since he flew a lot for work, the unfortunate consequence was being FULLY searched EVERY time he went through the airport. He finally called up the TSA once and told them, "How about I just come into your office. If I am your man, ARREST ME! If I'm not, then get me off of this list!" to which they responded, "I'm sorry sir, but it doesn't work that way."
All in all, it took him over 3 years to finally get his name off. I think the criteria for being on the terror watch list are pretty well summed up here:
-If you have the same name, initials or hair color as a felon, you're on the list.
-If you've ever lived withing a 5 mile radius of a felon, you're on the list.
-If you've ever flown on an airline that a terrorist has ever attacked before, you're on the list. and finally.
-If airport security is bored, you're on the list.
Any thoughts?
Parent
Re:is this "obvious news day" again? (Score:5, Funny)
I just put you on the list.
Parent
Re:is this "obvious news day" again? (Score:5, Interesting)
My uncle had a similar experience to your relative when he was returning from Jamaica (he was there for his anniversary). He had the exact name (middle too) of a wanted felon and was detained in customs for hours before they finally figured out he was from the other side of the country as his evil name-twin. As he pointed out at the time, "If I was the person they were looking for, would I be quite so stupid as to travel under my real name with genuine IDs in my name?" It's not like the guy was just "suspected"...he was pretty much a known criminal/fugitive.
Parent
Re:is this "obvious news day" again? (Score:5, Insightful)
-If you have the same name, initials or hair color as a felon, you're on the list.
-If you've ever lived withing a 5 mile radius of a felon, you're on the list.
Any thoughts?
It takes more than just being a felon.
I have a felony conviction (non-violent). I've flown 3 times since being discharged from parole and haven't run into any difficulties at the airports.
There are many different types of felonies. Many felons are, indeed, very very bad people. However, I personally know several convicted felons who I would trust to babysit my children, or loan money to. Most of the people I know in that category got their felony convictions as a result of substance abuse issues and have since cleaned up their act.
Just wanted to point out that having a felony conviction doesn't necessarily mean somebody is an evil person.
Parent
Re:is this "obvious news day" again? (Score:5, Funny)
Just wanted to point out that having a felony conviction doesn't necessarily mean somebody is an evil person.
... nah, it just means that they didn't have a very good lawyer.
Parent
Re:is this "obvious news day" again? (Score:5, Informative)
My co-workers 2 year old Daughter was on the list. It took 4 years to get her name removed.
It must have been her evil plot to drop a bomb in her diaper.
Parent
Re:Robert'); DROP DATABASE; â" (Score:5, Funny)
I think you mean Little Ahmed Tables.
Parent
Re:Robert'); DROP DATABASE; (Score:5, Funny)
I wonder if I'm the only SQL noob who had to look up the "drop database" command to see that indeed it is valid?
Why look it up when you can test it out for yourself?
Parent
Re:More wasted money! (Score:5, Interesting)
I'm sure somebody at the Justice Department decided that this database should be easy to build ("It's just a list!"), and rather than bring in some professionals to design it, they slapped it together on their own.
If you'd bother reading the report, available at http://democrats.science.house.gov/Media/File/Commdocs/Staff_Memo_toBM_terror_watch_8.21.08.pdf [house.gov], you'd see that Boeing is responsible for the current system. So, yes, a private professional company, employing experienced DBAs is responsible for the current system. If you'd spent much time consulting for private industry you'd know that this sort of thing isn't unique to the government. It's just that it's much more likely to come to light if it's a government project. I've seen many examples in private industry where companies, large and small, end up in the same same bind. This is what happens when rapidly evolving requirements are shoehorned into databases whose original designs could never have anticipated those requirements. Projects like this don't have scope creep so much as scope leap. Software messes that are difficult to migrate almost invariably occur.
Parent
Re:Oh hey (Score:5, Interesting)
I was for a while. I apparently got taken off of it a few months before they publicly admitted its existence.
It was fun. During my time on it, I flew 37 times. I got "randomly" selected for the extra search all 37 times. I ran the numbers for a TSA agent once who insisted it was purely random, and came up with something like one in a few hundred quintillion chance of that actually happening if it was truly random. Still failed to convince the agent it was not, though.
It was great when I had to fly out of LAX. Unlike most airports, that one had a special line for the special searches. So, instead of standing in line for an hour and a half to walk through the metal detector in ten seconds like most people, I waited in line for five minutes, then spent another 2-3 getting searched.
Most airports made me wait in line with the non-terrorists, though.
I'm still not sure what it was that got me on the list, whether it was carrying a knife onto the plane, twice, or the rather obvious joke I made while taking off my shoes. ("It's a good thing that that guy didn't put the bomb in his underwear").
Did you know that it's illegal to even say the word "bomb" in an airport? TSA explained this to me at great length that day.
(The knife, by the way, was a cub scout pocket knife, and it had already been through three searches without being noticed. Four if you count my checking the bag before I left to make sure I didn't leave anything in it.)
Anyway, at some point I got dropped off the list. I don't know why. Maybe it got too full, or maybe they decided that after 37 flights I wasn't a threat, or perhaps they were cleaning up the database before they publicly admitted its existence.
Before I dropped off of it, though, I purchased one-way tickets for a couple of friends who'd helped me move to another state. (We drove out, they flew back). They've both been pulled over for the extra "random" searches now, too.
Parent