Terror Watchlist "Crippled By Technical Flaws"

I Don't Believe in Imaginary Property writes "The database used by the government to generate lists like the No-Fly List is 'crippled by technical flaws,' according to the chairman of a House technology oversight subcommittee. And the upgrade may be worse than the original. Rep. Brad Miller (D-NC) says that 'if actually deployed, [the upgrade] will leave our country more vulnerable than the existing yet flawed system in operation today.' It seems that the current database doesn't have any easy way to do plain-text matching, forcing users to enter SQL queries. That might not sound so bad until you learn that the database contains 463 poorly indexed tables. How long until there's a terrorist named Robert'); DROP DATABASE; —?"

That's what happens when....

That's what happens when your interview questions are a political loyalty test.

Re:That's what happens when....

Don't knock it. This is proof a poor process CAN lead to good results. Those responsible for this should be generously rewarded.

Re:That's what happens when....

Err... yes. Just FEMA, the CIA, and nearly every other major department. Bush's loyalty test brought us the Katrina aftermath fiasco, and mass resignations at the CIA. He even tried to appoint his personal lawyer to the Supreme Court. As they say, "sh-t flows down-hill." When the man in charge is a complete moron, the entire government suffers.

Sorry, you were probably making a joke. A lot of us on this forum don't get sarcasm as easily as we should.

Re:That's what happens when....

I heard they douse you in Holy Water. If it tastes like burning, you're hired on the spot.

It'll all work itself out ...

The amount of people they want to include on their "t3rr0rz l1zt" it'll only be a matter of time before we have

Osama Bin CREATE INDEX;

and

Saddam OPTIMIZE TABLE;

Then everything will be hunk dory again.

Re:It'll all work itself out ...

Saddam OPTIMIZE TABLE

Actually, I think the SQL 2012 standard only supports the short form, "SADDAMIZE TABLE".

Number of tables

That might not sound so bad until you learn that the database contains 463 poorly indexed tables.

This is not a good measure of how good or bad a database is. Its good to have a table for every type of data and every data type. Read about normalization. You can go overboard, but as long as your database is designed well, having 463 tables might be just fine.

I say this because once I heard consultant say something like "This web application shouldn't need more than 40 tables, when in fact they didn't know much about the details of the web app, which were quite sophisticated and the real application had more than 100 tables."

Number of tables, no Poorly indexed

The problem is not the number of tables, but the fact that they are apparently 'poorly indexed'. Table indexes are important, both for the speed of queries, and data integrity.

Re:Number of tables, no Poorly indexed

Wow, so create the indexes then. What's up with you all, this is elementary stuff...a few hours creating the required indexes.

Fixing or even working on, an application and database developed without proper indexes (and foreign keys) is a real pain in the butt, and fraught with 'danger'.

You lot are carrying on as if it's Y2K

Hey, Y2k was 'just' changing a two digit year to a four digit year. By what seems like your standards there shouldn't any 'work' behind that either. Just because it's easy to say, doesn't mean that it's easy to do.

Why Would You Expect Otherwise?

The same US government that screws everything else up should be expected to screw up the terror DB. It was probably written by a junior developer who had never heard of a SQL injection. Isn't making a search form about the easiest project there is to build? I hate to say it, but I'm glad our government is so full of screw ups: pity the list exists at all...

Re:Why Would You Expect Otherwise?

One could wonder whether the project was set up to adress terrorism OR it was setup to generate media-attention ?

Both

One could wonder whether the project was set up to adress terrorism OR it was setup to generate media-attention ?

It was both and then some.

I'm trying to find the link of the guy who started this BS. It was a private citizen who, IIRC, was the one who was involved with Choicepoint. He wrote some code and his algorithm pulled up most of the 9/11 hijackers and then some. He had some false positives even then, but it was the Government's wet dream and it solved some of their problems (such as that pesky little Constitutional problem of spying on Americans. It's OK if a private company does it -Choicepoint.) and it makes great security theater and it creates some big fat Governemtn contracts for some big fat cats with Government connections.

Need more caffeine and I'm getting tons of false hits from Google trying to find the cite - it is over 7 years old, ya know.

Re:Why Would You Expect Otherwise?

Only problem is that it actually affects people try to travel. If the US Gov want to be idiots, fine. But if they want to do it in my name like I somehow want this, there is a problem. If they want to treat me like a criminal in my own country for trying to travel in it, I have a problem. If they want to seize my laptop for no reason because I am trying to travel, I have a problem.

I like the idea of having a fly at your own risk airline where you can just "risk it" and not have all these so called "protections". I bet it would put the airlines with the TSA out of business in a week.

Re:Why Would You Expect Otherwise?

That could work.
Risk it airlines, where there are no security checks to get on board and the only security measures are to detect when a plane has been hijacked and once confirmed a killswitch is activated to simply blow it out of the sky. Might have to pay the pilots more but I'd travel on one of those.

Re:Why Would You Expect Otherwise?

It was outsourced. Near the bottom of TFA it says that some of the money was used to renovate a building owned by Boeing.

Its amazing just how many "government screwups" are actually caused by politicians outsourcing to their buddies in private industry (with little to no penalties for failing to deliver what was promised), and have nothing to do with the abilities of actual government employees.

There's actually quite a few smart IT folks in government, but they're not the ones who make decisions on who to outsource this stuff to. In fact, most of them would probably rather build a team and do it In-House, since that way you build up the knowledge internally and can more easily support it later.

So please don't blame government employees for something that Boeing screwed up.

the first person

to code an exploit that automatically populates tables in the watchlist with entries from the TSA employee database wins.

It's _not_ crippled by technical flaws.

It's crippled by being a moronic concept in the first place ("You've got the wrong name and _maybe_ the wrong date of birth, and you're not flying.") and an absolutely arbitrary process of putting names on the list, and no way of ever getting a name off the list.

Fix those points first, and _then_ worry about technical details.

Re:It's _not_ crippled by technical flaws.

"You've got the wrong name and _maybe_ the wrong date of birth, and you're not flying."

Oh, come on! We all know to be terrified of letting 5-year-olds onto the plane [king5.com] (video). If they share a name, they're bound to share ideologies. And what better place to hide explosives than in a shitty diaper?

And that kid was only wanted by the INS! I can just imagine the hillarity ensuing when they clear an airport because another kid "made a stink bomb" in his diaper - we all know how much the TSA loves words like those.

Re:It's _not_ crippled by technical flaws.

Actually, I'd be pretty cool with banning 5-year-olds from planes.

Re:It's _not_ crippled by technical flaws.

Exactly. The No Fly List [wikipedia.org] is useless because it contains an estimated 1,000,000+ names (really, 1 million terrorists we can't track down?). It's useless because it contains generic entries such as T. Kennedy, which doesn't refer to a person but an alias once used in a crime (Tater Salad might be in there too). It's useless because even once they bomb a terrorist into tiny pieces his name is still on the list (sry, can't rememer who). Not only that, but the list is used for political dissidents too, not just terrorists or dangerous criminals. Apparently Nelson Mandela was on the list, until the fact was embarrasingly publicized and he was finally removed.

Re:It's _not_ crippled by technical flaws.

But hey, it's not that bad! After all, since all terrorists use their real names when flying, it is sure to catch them all.

Ever wonder why no suicide bomber has been able to strike twice? It's because of the no-fly-list, I tell you!

Size Comparison

For those interested: the size of the terror watchlist compared to US cities and States [wellingtongrey.net].

Re:is this "obvious news day" again?

Because theres' nothing a non-USian can learn in such a "story", except that US-ians are teh morons.

Hold on, that's not true! In this story, we learn that the terrorist watch list is not only a bad idea, but it is poorly implemented!

Re:is this "obvious news day" again?

Well let me give you my personal experience about it. I have a relative named "David Hall." Pretty common name huh? Well he was put on the terror watch list years ago because there is a suspicious person named David Hall. He was able to determine that the person they were after was many years older, had a different birthdate, SSN, and even lived in a state he had never been in.

Since he flew a lot for work, the unfortunate consequence was being FULLY searched EVERY time he went through the airport. He finally called up the TSA once and told them, "How about I just come into your office. If I am your man, ARREST ME! If I'm not, then get me off of this list!" to which they responded, "I'm sorry sir, but it doesn't work that way."

All in all, it took him over 3 years to finally get his name off. I think the criteria for being on the terror watch list are pretty well summed up here:

-If you have the same name, initials or hair color as a felon, you're on the list.

-If you've ever lived withing a 5 mile radius of a felon, you're on the list.

-If you've ever flown on an airline that a terrorist has ever attacked before, you're on the list. and finally.

-If airport security is bored, you're on the list.

Any thoughts?

Re:Robert'); DROP DATABASE; â"

I think you mean Little Ahmed Tables.